[midPoint] Authorizing access to reports

Radovan Semancik radovan.semancik at evolveum.com
Thu Sep 15 13:55:35 CEST 2016


Hi Aivo,

That's right again. The authorization mechanism in midPoint runs quite 
deep. The report is executed as a task. Owner of that task is the user 
who executed it. And such task can only access the data that are 
accessible to the task owner. This is one of the basic "defense in 
depth" mechanisms that midPoint implements. It may be a security issue 
if we allow a report to access more data that the user who executes it 
is allowed to see.

But I see what you need. You maybe want something like a UNIX "suid" 
mechanism for reports. This can be done in tasks, so it also should work 
for scheduled reports. But I do no know if we have anything like that 
for reports that are explicitly executed from the GUI. Maybe one of my 
colleagues will know.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 09/15/2016 01:45 PM, Aivo Kuhlberg wrote:
>
> I was too optimistic in my previous mail. In principle reporting 
> functions now works but when I view the generate reports then the 
> reported results dependent on the authorization of the user who 
> generated the report. To save my time figuring out correct 
> authorizations for each report is it possible to run reports under 
> other user name who has more rights (eg administrator)?
>
> Best Regards,
> Aivo Kuhlberg
>
>
> ------------------------------------------------------------------------
> *Saatja:* midPoint <midpoint-bounces at lists.evolveum.com> nimelAivo 
> Kuhlberg <aivo.kuhlberg at rmit.ee>
> *Saadetud:* 15. september 2016 13:54
> *Adressaat:* midPoint General Discussion
> *Teema:* Re: [midPoint] Authorizing access to reports
>
> I think I figured out what my problem was. Seems that there exists 
> also ReportOutputType. So the following additional authorization 
> solved my problems:
>
> <authorization>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
> <object>
> <type>ReportOutputType</type>
> </object>
> </authorization>
>
> Best Regards,
> Aivo Kuhlberg
>
> ------------------------------------------------------------------------
> *Saatja:* midPoint <midpoint-bounces at lists.evolveum.com> nimelAivo 
> Kuhlberg <aivo.kuhlberg at rmit.ee>
> *Saadetud:* 15. september 2016 13:40
> *Adressaat:* midpoint
> *Teema:* [midPoint] Authorizing access to reports
>
> I want to create a role which gives user ability to access reports 
> section. User should see reports, run them and access the generated 
> reports. Unfortunately there is not much information found in wiki 
> about reports authorization. So far I figured out how to give access 
> to reports section by adding reportsAll GUI authorization. I also 
> figured out that there exists ReportType object and by adding read 
> ability to that object I succeeded to run report. Unfortunately I dont 
> see any created reports. Seems that there is still some authorization 
> missing. My current authorizations in role are following:
>
> <authorization>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#reportsAll</action>
> </authorization>
> <authorization>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>   <object>
> <type>ReportType</type>
>   </object>
> </authorization>
>
> Best Regards,
> Aivo Kuhlberg
>
>
> ------------------------------------------------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks 
> tunnistatud teavet.
> This e-mail may contain information which is classified for official use.
>
> ------------------------------------------------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks 
> tunnistatud teavet.
> This e-mail may contain information which is classified for official use.
>
> ------------------------------------------------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks 
> tunnistatud teavet.
> This e-mail may contain information which is classified for official use.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160915/c461051c/attachment.htm>


More information about the midPoint mailing list