[midPoint] Problem closing In remediation certification stage campaign

[Pavol Mederly]

Or, could you try the following:


Just add the certification-specific authorizations  _without_ specifying 
object type. These are not applicable to any other type, so it's no 
security risk. As I looked at the code, it should help.

Pavol Mederly
Software developer
evolveum.com

On 16.09.2016 10:40, Aivo Kuhlberg wrote:
>
> I have created special user who should have access to manage all 
> certification tasks. Unfortunately this user cannot close the 
> certification stage campaign when the campaign is in state 'In 
> remediation'.
> I have assigned to user role which has following authorizations:
>
>     <authorization id="1">
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#certificationAll</action>
> </authorization>
>     <authorization id="2">
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#createCertificationCampaign</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#closeCertificationCampaign</action>
>         <object>
> <type>AccessCertificationDefinitionType</type>
>         </object>
> </authorization>
>     <authorization id="3">
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#openCertificationCampaignReviewStage</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#closeCertificationCampaignReviewStage</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#startCertificationRemediation</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#closeCertificationCampaign</action>
>         <object>
> <type>AccessCertificationCampaignType</type>
>         </object>
> </authorization>
>
> Notice that I have set 'closeCertificationCampaign' auth both for 
> 'AccessCertificationDefinitionType' and 
> 'AccessCertificationCampaignType' (wiki says 
> <https://wiki.evolveum.com/display/midPoint/Access+Certification+Security> 
> that this should be set only for 'AccessCertificationCampaignType').
> In addition to these authorizations user has role 'Reviewer' assigned.
> I have created certification definition and set remediation to 'Manual 
> reconciliation (non-conformant items are reported)'.
> After that I created new campaign, started it and closed the stage. 
> Then I started the remediation. So far it works fine but when I want 
> to close the campaing which is now in remediation stage I see 
> following error:
> User ''certmanager'' not authorized for operation 
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#closeCertificationCampaign
>
> Best Regards,
>
> Aivo kuhlberg
>
>
> ------------------------------------------------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks 
> tunnistatud teavet.
> This e-mail may contain information which is classified for official use.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160916/1a083cf7/attachment.htm>