[midPoint] midPoint Digest, Vol 38, Issue 1
Petr Gašparík
petr at gasparik.cz
Mon Jun 1 22:00:21 CEST 2015
Thank you, it works!
Now, what is the best page on wiki to put it in?
po 1. 6. 2015 v 9:02 odesílatel <midpoint-request at lists.evolveum.com>
napsal:
> Send midPoint mailing list submissions to
> midpoint at lists.evolveum.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
> midpoint-request at lists.evolveum.com
>
> You can reach the person managing the list at
> midpoint-owner at lists.evolveum.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
>
>
> Today's Topics:
>
> 1. Re: authorization for role requests (Ivan Noris)
> 2. Re: authorization for role requests (Ivan Noris)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 01 Jun 2015 08:52:24 +0200
> From: Ivan Noris <ivan.noris at evolveum.com>
> To: midpoint at lists.evolveum.com
> Subject: Re: [midPoint] authorization for role requests
> Message-ID: <556C0128.6010507 at evolveum.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Petr,
>
> I was experimenting some time ago with this. User can request only roles
> with "requestable == true". Modify as you need.
>
> There seems to be missing read permissions on Resource (which I guess is
> by default permitted) and Shadows (which is not); I try to find more
> examples. In general, you need to see the Resource objects, Shadows for
> accounts and Shadows for entitlements (associations). And assigned roles
> of course.
>
> <role oid="00000000-dc00-dc00-0004-000000000043"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
> <name>ASK ROLES FOR HIMSELF</name>
> <description>Rola allowing to ask roles for self-service</description>
> <!-- GUI -->
> <authorization>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users
> </action>
>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user
> </action>
>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails
> </action>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree
> </action>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit
> </action>
> </authorization>
>
> <!-- Model -->
> <authorization>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> </action>
> <object>
> <special>self</special>
> </object>
> </authorization>
> <!-- Authorization to Read roles (to display assigned roles). GUI
> authorization limits the usage on pages. -->
> <authorization>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> </action>
> <object>
> <type>RoleType</type>
> <!-- Only requestable=true roles to avoid meta-roles etc. being assigned
> by support (which assigned THIS role) -->
> <filter>
> <q:equal>
> <q:path>requestable</q:path>
> <q:value>true</q:value>
> </q:equal>
> </filter>
> </object>
> </authorization>
>
> <authorization>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign
> </action>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign
> </action>
> <phase>request</phase>
> <target>
> <type>RoleType</type>
> <filter>
> <q:equal>
> <q:path>requestable</q:path>
> <q:value>true</q:value>
> </q:equal>
> </filter>
> </target>
> </authorization>
> <authorization>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add
> </action>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
> </action>
> <phase>execution</phase>
> </authorization>
>
> </role>
>
> Best regards,
> Ivan
>
> On 05/29/2015 05:39 PM, Petr Gašparík wrote:
> > Hi,
> > I do basic approval scheme.
> > It works well in requesting (end user) and approval (his manager), but
> > then, the workflow is suspended.
> >
> > Error is:
> > User 'demo.user' not authorized for operation
> >
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
> >
> > My guess is that I need to add some authorization to End User role,
> > but it is unclear for me for what.
> > identity self? shadow account? something else?
> >
> > thank you in advance
> >
> > best regards
> > --
> > Petr Gašparík
> >
> >
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer & IDM Architect
> evolveum.com evolveum.com/blog/
> ___________________________________________________
> "Semper Id(e)M Vix."
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.evolveum.com/pipermail/midpoint/attachments/20150601/ec89d64b/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Mon, 01 Jun 2015 09:02:01 +0200
> From: Ivan Noris <ivan.noris at evolveum.com>
> To: midpoint at lists.evolveum.com
> Subject: Re: [midPoint] authorization for role requests
> Message-ID: <556C0369.9030102 at evolveum.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Petr,
>
> this one could be even better.
>
> The interesting part is roleType filtering. I wanted the users to be
> able to request any role with requestable==true, but e.g. End User seems
> not to have this and I wanted the Dashboard to display also this one if
> it is assigned. I also "created" roleType==provisioning. These roles are
> also displayed in Dashboard.
> if they are assigned.
>
> <role oid="00000000-dc00-dc00-0004-000000000043"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
> <name>Self-service - ask roles</name>
> <description>Rola allowing to ask roles for self-service</description>
> <!-- GUI -->
> <authorization>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users
> </action>
>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user
> </action>
>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails
> </action>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree
> </action>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit
> </action>
> </authorization>
>
> <!-- Model -->
> <authorization>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> </action>
> <object>
> <special>self</special>
> </object>
> </authorization>
> <!--
> <authorization>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
> </action>
> <object>
> <special>self</special>
> </object>
> </authorization>-->
> <!--<authorization>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> </action>
> </authorization>-->
> <!-- Authorization to Read roles (to display assigned roles). GUI
> authorization limits the usage on pages. -->
> <authorization>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> </action>
> <object>
> <type>RoleType</type>
> <!-- Only requestable=true roles to avoid meta-roles etc. being assigned by
> support (which is assigned THIS role) -->
> <filter>
> <q:equal>
> <q:path>requestable</q:path>
> <q:value>true</q:value>
> </q:equal>
> </filter>
> </object>
> </authorization>
>
> <!-- Authorization to read entitlements and generic -->
> <authorization>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> </action>
> <object>
> <type>ShadowType</type>
> <filter>
> <q:or>
> <q:equal>
> <q:path>kind</q:path>
> <q:value>entitlement</q:value>
> </q:equal>
> <q:equal>
> <q:path>kind</q:path>
> <q:value>generic</q:value>
> </q:equal>
> </q:or>
> </filter>
> </object>
> </authorization>
> <!-- Authorization to Read roles (to display assigned roles). GUI
> authorization limits the usage on pages. -->
> <authorization>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> </action>
> <decision>deny</decision>
> <object>
> <type>RoleType</type>
> <!-- Only requestable roles -->
> <filter>
> <q:and>
> <q:not>
> <q:equal>
> <q:path>name</q:path>
> <q:value>End User</q:value>
> </q:equal>
> </q:not>
> <q:not>
> <q:equal>
> <q:path>requestable</q:path>
> <q:value>true</q:value>
> </q:equal>
> </q:not>
> <q:not>
> <q:equal>
> <q:path>roleType</q:path>
> <q:value>provisioning</q:value>
> </q:equal>
> </q:not>
> </q:and>
> </filter>
> </object>
> </authorization>
>
> <authorization>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign
> </action>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign
> </action>
> <phase>request</phase>
> <target>
> <type>RoleType</type>
> <filter>
> <q:equal>
> <q:path>requestable</q:path>
> <q:value>true</q:value>
> </q:equal>
> </filter>
> </target>
> </authorization>
> <authorization>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add
> </action>
>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
> </action>
> <phase>execution</phase>
> </authorization>
> <roleType>provisioning</roleType>
> </role>
>
> Ivan
>
> On 05/29/2015 05:39 PM, Petr Gašparík wrote:
> > Hi,
> > I do basic approval scheme.
> > It works well in requesting (end user) and approval (his manager), but
> > then, the workflow is suspended.
> >
> > Error is:
> > User 'demo.user' not authorized for operation
> >
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
> >
> > My guess is that I need to add some authorization to End User role,
> > but it is unclear for me for what.
> > identity self? shadow account? something else?
> >
> > thank you in advance
> >
> > best regards
> > --
> > Petr Gašparík
> >
> >
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer & IDM Architect
> evolveum.com evolveum.com/blog/
> ___________________________________________________
> "Semper Id(e)M Vix."
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.evolveum.com/pipermail/midpoint/attachments/20150601/eddea5c3/attachment.html
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> ------------------------------
>
> End of midPoint Digest, Vol 38, Issue 1
> ***************************************
>
--
--
Petr G.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150601/831c2f08/attachment.htm>
More information about the midPoint
mailing list