[midPoint] Problem with role with manager approval

Pavol Mederly mederly at evolveum.com
Sat Aug 13 08:49:57 CEST 2016 

Hello Aivo,


you're right - yesterday I tried it as administrator. Now, when logging 
in as testuser, the role gets approved automatically.


The problem is that the script for determining approvers runs under 
testuser authorizations, so it doesn't "see" the manager. This is a 
design problem that I somehow overlooked. (Actually, the problem is 
broader: there are also other scripts that could run as part of the 
operation, like notification scripts, model script hooks, and maybe some 
advanced mappings - all of these are executed in the context of 
logged-in user.)


We have to look at it more thoroughly. I've created MID-3343 
<https://jira.evolveum.com/browse/MID-3343> for it.


An immediate workaround is to give end users an ability to see at least 
all users' OIDs:


<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
   <object>
     <type>UserType</type>
   </object>
<item>a-non-existing-item-to-allow-see-only-OID</item>
</authorization>


This should be acceptable from security point of view, as long as you 
don't give end users an ability to use non-GUI access (and not allow 
"Configuration->Repository objects" part of menu for them).


As for the second problem (errors when logged as testmanager): this is 
probably related to MID-3121 
<https://jira.evolveum.com/browse/MID-3121>. But it shouldn't occur in 
this form; so I've created a separate MID-3344 
<https://jira.evolveum.com/browse/MID-3344> for it.


Overall, thanks for pointing at these problems. We'll do our best to fix 
them.


Best regards,

Pavol Mederly
Software developer
evolveum.com

On 12.08.2016 15:32, Aivo Kuhlberg wrote:
>
> Hi Pavol,
> Did you try to log on as testuser and request a role 
> "testrole-needsmanagerapproval"? In this case request gets 
> automatically approved.
> When I assign the role to testuser as administrator then it seems to 
> work for me too. I see that workflow process starts and is waiting for 
> testmanager approval. But when I log on as testmanager and open work 
> item then following errors appear in log:
>
> 2016-08-12 16:38:23,359 [] [http-nio-8083-exec-4] ERROR 
> (com.evolveum.midpoint.model.impl.controller.SchemaTransformer): Error 
> post-processing object 
> task:00000000-0000-0000-0000-000000000005(null): Access denied
> com.evolveum.midpoint.util.exception.AuthorizationException: Access denied
> ...
> 2016-08-12 16:38:23,361 [] [http-nio-8083-exec-4] ERROR 
> (com.evolveum.midpoint.model.impl.controller.SchemaTransformer): Error 
> post-processing object 
> task:00000000-0000-0000-0000-000000000006(null): Access denied
> com.evolveum.midpoint.util.exception.AuthorizationException: Access denied
> ...
> 2016-08-12 16:38:23,363 [] [http-nio-8083-exec-4] ERROR 
> (com.evolveum.midpoint.model.impl.controller.SchemaTransformer): Error 
> post-processing object 
> task:00000000-0000-0000-0000-000000000007(null): Access denied
> com.evolveum.midpoint.util.exception.AuthorizationException: Access denied
> ...
> 2016-08-12 16:38:23,365 [] [http-nio-8083-exec-4] ERROR 
> (com.evolveum.midpoint.model.impl.controller.SchemaTransformer): Error 
> post-processing object 
> task:3fa47adf-4d08-4b94-9668-71c6b6fff1d0(null): Access denied
> com.evolveum.midpoint.util.exception.AuthorizationException: Access denied
> ...
> 2016-08-12 16:38:23,367 [] [http-nio-8083-exec-4] ERROR 
> (com.evolveum.midpoint.model.impl.controller.SchemaTransformer): Error 
> post-processing object 
> task:42bc12ce-24be-4146-baea-aed301707e7b(null): Access denied
> com.evolveum.midpoint.util.exception.AuthorizationException: Access denied
> ...
> 2016-08-12 16:38:23,371 [] [http-nio-8083-exec-4] ERROR 
> (com.evolveum.midpoint.model.impl.controller.SchemaTransformer): Error 
> post-processing object 
> task:63657c46-1fba-4586-997f-a45fa771567f(null): Access denied
> com.evolveum.midpoint.util.exception.AuthorizationException: Access denied
> ...
> 2016-08-12 16:38:23,373 [] [http-nio-8083-exec-4] ERROR 
> (com.evolveum.midpoint.model.impl.controller.SchemaTransformer): Error 
> post-processing object 
> task:7e2cc986-c454-48da-a706-cefa67d36c77(null): Access denied
> com.evolveum.midpoint.util.exception.AuthorizationException: Access denied
> ...
> 2016-08-12 16:38:23,375 [] [http-nio-8083-exec-4] ERROR 
> (com.evolveum.midpoint.model.impl.controller.SchemaTransformer): Error 
> post-processing object 
> task:86508079-e041-44c9-a181-a0954b8cf2f9(null): Access denied
> com.evolveum.midpoint.util.exception.AuthorizationException: Access denied
>
> User testmanager can still approve the request but from the log 
> messages it seems that there are some authorization problems.
>
>
> Regards,
>
> Aivo
>
> ------------------------------------------------------------------------
> *Saatja:* midPoint <midpoint-bounces at lists.evolveum.com> nimelPavol 
> Mederly <mederly at evolveum.com>
> *Saadetud:* 12. august 2016 15:09
> *Adressaat:* midpoint at lists.evolveum.com
> *Teema:* Re: [midPoint] Problem with role with manager approval
>
> Aivo,
>
>
> this is really strange.
>
>
> I've imported your objects (testorg, testuser, testmanager, and 
> testrole-needsmanagerapproval). Assigned testrole-needsmanagerapproval 
> to testuser and it works...
>
>
>
> It's true that I have 3.5-SNAPSHOT, but I don't know of any 
> differences in the code in this respect...
>
>
> Just to be sure, could you try on master? Or, could you enable a TRACE 
> logging on:
>
>   * com.evolveum.midpoint.repo.sql.helpers.ObjectRetriever
>   * com.evolveum.midpoint.repo.sql.query2
>
> and try again? (Unfortunately, this would produce tons of log data.)
>
> Pavol Mederly
> Software developer
> evolveum.com
> On 12.08.2016 13:47, Aivo Kuhlberg wrote:
>>
>> Hi Pavol,
>>
>> Here is the log:
>> 2016-08-12 14:49:02,001 [] [http-nio-8083-exec-9] TRACE 
>> (com.evolveum.midpoint.model.impl.expr.OrgStructFunctionsImpl): 
>> orgOids: [5b763e10-6c87-4a38-babb-067447f95f73]
>> 2016-08-12 14:49:02,003 [] [http-nio-8083-exec-9] TRACE 
>> (com.evolveum.midpoint.model.impl.expr.OrgStructFunctionsImpl): 
>> retval: []
>> 2016-08-12 14:49:02,004 [] [http-nio-8083-exec-9] TRACE 
>> (com.evolveum.midpoint.model.impl.expr.OrgStructFunctionsImpl): 
>> nextLevelOids: []
>> 2016-08-12 14:49:02,004 [] [http-nio-8083-exec-9] WARN 
>> (com.evolveum.midpoint.wf.impl.processes.itemApproval.InitializeLoopThroughApproversInLevel): 
>> No approvers at the level 'null' for process Assigning 
>> testrole-needsmanagerapproval to testuser (id 10193)
>>
>> and here are objects (credentials removed):
>>
>> testorg: http://pastebin.com/1rX21Chs
>>
>> testuser: http://pastebin.com/8iXPbefJ
>>
>> testmanager: http://pastebin.com/PiKAcKdg
>>
>>
>> Regards,
>>
>> Aivo
>>
>> ------------------------------------------------------------------------
>> *Saatja:* midPoint <midpoint-bounces at lists.evolveum.com> nimelPavol 
>> Mederly <mederly at evolveum.com>
>> *Saadetud:* 12. august 2016 14:09
>> *Adressaat:* midpoint at lists.evolveum.com
>> *Teema:* Re: [midPoint] Problem with role with manager approval
>>
>> Hello Aivo,
>>
>>
>> that's interesting. It should work. I don't see any obvious problem; 
>> but have not enough time to try it myself now.
>>
>>
>> You could enable TRACE logging for 
>> com.evolveum.midpoint.model.impl.expr.OrgStructFunctionsImpl and run 
>> your test once again.
>>
>> If still no clue, please paste here relevant parts of the log, as 
>> well as XML of your testuser, testmanager, testorg objects.
>>
>>
>> Best regards,
>>
>> Pavol Mederly
>> Software developer
>> evolveum.com
>> On 12.08.2016 13:00, Aivo Kuhlberg wrote:
>>>
>>> Hello,
>>>
>>> I am trying to test (in MP 3.4) the situation where user requests a 
>>> role which requires user's organization manager approval but so far 
>>> have not succeded.
>>> I created following role (based on Sensitive Role 3 example here: 
>>> https://wiki.evolveum.com/display/midPoint/Some+examples )
>>>
>>> <role 
>>> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
>>> <name>testrole-needsmanagerapproval</name>
>>> <requestable>true</requestable>
>>> <approverExpression>
>>> <description>Get user's managers (except the user itself)</description>
>>> <script>
>>> <code>midpoint.getManagersOidsExceptUser(object)</code>
>>> </script>
>>> </approverExpression>
>>> </role>
>>>
>>> I have created users testuser and testmanager and added both to the 
>>> organization testorg as members and also testmanager as manager.
>>> I added role Approver to testmanager.
>>> Now when I request the role "testrole-needsmanagerapproval" for user 
>>> testuser the role gets automatically assigned without manager 
>>> approval. Seems that the getManagersOidsExceptUser function does not 
>>> find any manager for that user and therefore approves automatically 
>>> this role. Why it is so?
>>>
>>> Best regards,
>>>
>>> Aivo Kuhlberg
>>>
>>>
>>> ------------------------------------------------------------------------
>>> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks 
>>> tunnistatud teavet.
>>> This e-mail may contain information which is classified for official 
>>> use.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> ------------------------------------------------------------------------
>> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks 
>> tunnistatud teavet.
>> This e-mail may contain information which is classified for official 
>> use.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> ------------------------------------------------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks 
> tunnistatud teavet.
> This e-mail may contain information which is classified for official use.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160813/e1b5cee7/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 43137 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160813/e1b5cee7/attachment.png>

More information about the midPoint mailing list