[midPoint] Org structure visibility

Michalis Siochos msiochos at gmail.com
Wed Oct 12 10:35:11 CEST 2016


Hello Ivan & All,

I experience an issue when I assign more than one managed OUs to a 
single user

I have the following structure:
- Company
-- Division 1
--- Subdivision 1
-- Division 2
--- Subdivision 2
- Projects
-- Project 1
-- Project 2

In case a user is the manager of a single OU then I get the expected 
behaviour
- Manager can see org structure and users assigned to org subtree

In case a user is the manager of more than one OUs then
- Manager can see no orgs or users apart from himself and top level ous 
(the role provides explicit authorization to them)

It seems that the below authorization does not work as expected in case 
of multiple managed orgs:

  <authorization id="10">
       <name>Magic read/modify</name>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
       <object>
          <orgRelation>
             <subjectRelation 
xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3">org:manager</subjectRelation>
             <scope>allDescendants</scope>
<includeReferenceOrg>true</includeReferenceOrg>
          </orgRelation>
       </object>
    </authorization>

I have tried this role as is but no luck: 
https://github.com/Evolveum/midpoint/blob/master/samples/stories/multitenant-idm-saas/roles/role-customer-authz-admin.xml

Is this a known limitation?
Do I miss something?

Thanks!
Michalis

On 10/06/2016 10:42 AM, Ivan Noris wrote:
> Hi Michalis,
>
> yes the End user role gives significantly more than needed for that
> scenario. If it's not clear enough from the scenario descriptio (or
> there is something that mislead you) please let me know and I will
> update the texts.
>
> I have not tested the scenario recently, so if there is any regression,
> also let me know.
>
> Thanks,
>
> Ivan
>
>
> On 10/06/2016 08:23 AM, Michalis Siochos wrote:
>> Hello,
>>
>> Problem solved. I was testing with "End User" role assigned which
>> provided more authorizations than I expected.
>> When I unassigned and fine tuned my own role, it worked as expected.
>>
>> Thanks!
>>
>> On 10/06/2016 07:04 AM, Мамаева Сауле Сериковна wrote:
>>> Hi, I'm also interested in this case. I faced the same problem.
>>>
>>> Best regards,
>>> Saule Mamayeva
>>> s.mamayeva at ktg.kz
>>>
>>> -----Original Message-----
>>> From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf
>>> Of Michalis Siochos
>>> Sent: Wednesday, October 05, 2016 3:18 PM
>>> To: midpoint at lists.evolveum.com
>>> Subject: [midPoint] Org structure visibility
>>>
>>> Hi All,
>>>
>>> I'm trying to achieve something really straightforward with MidPoint
>>> 3.4.1 I would like an OU Manager to be able to see the org structure
>>> but only the OU(s) or subtree(s) he's managing.
>>>
>>> I've been following this story:
>>> https://evolveum.com/blog/midpoint-goes-multitenant/
>>>
>>> However, when I add the following authorizations, the manager gets
>>> full view of the org structure
>>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#orgStruct</action>
>>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#orgTree</action>
>>>
>>>
>>> I have tried tenant orgs but no luck.
>>>
>>> It seems that I miss something. Could you please advise?
>>>
>>> Thanks!
>>> Michalis
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint




More information about the midPoint mailing list