[midPoint] Securing the GUI

Schlehuber, Patrick schlehub at uillinois.edu
Wed Aug 5 17:27:15 CEST 2015 

That worked great, I can reconcile a user, and only allow  viewing other attributes.

One more item of concern I ran into, I restrict “List Tasks” to viewing of details for  a task as I am wanting, but I can still “Run/Suspend/Resume” a task. How can I tighten this and now allow these task functions to be performed but still allow viewing of details?

Pat



From: Pavol Mederly [mailto:mederly at evolveum.com]
Sent: Tuesday, August 04, 2015 12:23 PM
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Securing the GUI

Hello Pat,

user reconciliation is actually executed as an empty modify action, with the option of reconcile=true.

So I would suggest you to set the following authorizations (provided that view only access is set up):

<authorization>
      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify<https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_security_authorization-2Dmodel-2D3-23modify&d=AwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=iXq2t42tOKnUMAv8iP_A7TezRYjTq_aHZvlIZHBWsnc&m=R-CGbiY7zLfxibszkkeW9ZHC6lidvmFkIw2mtexyDA8&s=oemhhGbGymEhoHAhSx1Fu25fdU9RjP2B4KnlT7b3uP4&e=></action>
      <phase>execution</phase>
      <object>
         <type>UserType</type>
      </object>
      <object>
         <type>ShadowType</type>
      </object>
</authorization>

This ensures that the user can do any modification that would be computed by the reconciliation.

But you need to specify that the user can not request anything explicitly. This seems to work:

<authorization>
      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify<https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_security_authorization-2Dmodel-2D3-23modify&d=AwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=iXq2t42tOKnUMAv8iP_A7TezRYjTq_aHZvlIZHBWsnc&m=R-CGbiY7zLfxibszkkeW9ZHC6lidvmFkIw2mtexyDA8&s=oemhhGbGymEhoHAhSx1Fu25fdU9RjP2B4KnlT7b3uP4&e=></action>
      <phase>request</phase>
      <object>
         <type>UserType</type>
      </object>
      <c:item>dummyItem</c:item>
</authorization>

(dummyItem is any non-existing item name - if there were no items specified, requester could modify anything)

After applying this, I am able to request a reconciliation of given user(s) from the user list page.
Actually I cannot display user details but maybe it's some misconfiguration at my side.

Overall, I'm not a big expert in authorizations; maybe someone on this list could improve this suggestion. :)

Best regards,
Pavol
I am looking to secure the GUI and define a role that has view only access, but with the option of performing a reconcile on a user as being allowed. I can get the view only option working, but how can I overlay allowing reconcile? Does this need to be a separate role?

Pat Schlehuber





_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=AwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=iXq2t42tOKnUMAv8iP_A7TezRYjTq_aHZvlIZHBWsnc&m=R-CGbiY7zLfxibszkkeW9ZHC6lidvmFkIw2mtexyDA8&s=hiQDTzrL677lbxd6-BNg6poOL3z00FZxC0lAbwQ_C4g&e=>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150805/6a81f4ca/attachment.htm>

More information about the midPoint mailing list