[midPoint] Securing the GUI
Pavol Mederly
mederly at evolveum.com
Thu Aug 6 22:52:26 CEST 2015
Hello Pat,
unfortunately, this is not implemented yet. See
https://jira.evolveum.com/browse/MID-2223. I assume we'll implement it
in a few weeks.
How crucial is it for you?
Best regards,
Pavol
> That worked great, I can reconcile a user, and only allow viewing
> other attributes.
>
> One more item of concern I ran into, I restrict “List Tasks” to
> viewing of details for a task as I am wanting, but I can still
> “Run/Suspend/Resume” a task. How can I tighten this and now allow
> these task functions to be performed but still allow viewing of details?
>
> Pat
>
> *From:*Pavol Mederly [mailto:mederly at evolveum.com]
> *Sent:* Tuesday, August 04, 2015 12:23 PM
> *To:* midpoint at lists.evolveum.com
> *Subject:* Re: [midPoint] Securing the GUI
>
> Hello Pat,
>
> user reconciliation is actually executed as an empty modify action,
> with the option of reconcile=true.
>
> So I would suggest you to set the following authorizations (provided
> that view only access is set up):
>
> <authorization>
>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_security_authorization-2Dmodel-2D3-23modify&d=AwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=iXq2t42tOKnUMAv8iP_A7TezRYjTq_aHZvlIZHBWsnc&m=R-CGbiY7zLfxibszkkeW9ZHC6lidvmFkIw2mtexyDA8&s=oemhhGbGymEhoHAhSx1Fu25fdU9RjP2B4KnlT7b3uP4&e=></action>
> <phase>execution</phase>
> <object>
> <type>UserType</type>
> </object>
> <object>
> <type>ShadowType</type>
> </object>
> </authorization>
>
> This ensures that the user can do any modification that would be
> computed by the reconciliation.
>
> But you need to specify that the user can not request anything
> explicitly. This seems to work:
>
> <authorization>
>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_security_authorization-2Dmodel-2D3-23modify&d=AwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=iXq2t42tOKnUMAv8iP_A7TezRYjTq_aHZvlIZHBWsnc&m=R-CGbiY7zLfxibszkkeW9ZHC6lidvmFkIw2mtexyDA8&s=oemhhGbGymEhoHAhSx1Fu25fdU9RjP2B4KnlT7b3uP4&e=></action>
> <phase>request</phase>
> <object>
> <type>UserType</type>
> </object>
> <c:item>dummyItem</c:item>
> </authorization>
>
> (dummyItem is any non-existing item name - if there were no items
> specified, requester could modify anything)
>
> After applying this, I am able to request a reconciliation of given
> user(s) from the user list page.
> Actually I cannot display user details but maybe it's some
> misconfiguration at my side.
>
> Overall, I'm not a big expert in authorizations; maybe someone on this
> list could improve this suggestion. :)
>
> Best regards,
> Pavol
>
> I am looking to secure the GUI and define a role that has view
> only access, but with the option of performing a reconcile on a
> user as being allowed. I can get the view only option working, but
> how can I overlay allowing reconcile? Does this need to be a
> separate role?
>
> /Pat Schlehuber/
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=AwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=iXq2t42tOKnUMAv8iP_A7TezRYjTq_aHZvlIZHBWsnc&m=R-CGbiY7zLfxibszkkeW9ZHC6lidvmFkIw2mtexyDA8&s=hiQDTzrL677lbxd6-BNg6poOL3z00FZxC0lAbwQ_C4g&e=>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150806/5de23611/attachment.htm>
More information about the midPoint
mailing list