[midPoint] Problem closing In remediation certification stage campaign

[Aivo Kuhlberg]

Hi Pavol,

Yes, now it works when type is not specified. Thank you. I also created JIRA task for this bug:

https://jira.evolveum.com/browse/MID-3403


Regards,
Aivo Kuhlberg
________________________________
Saatja: midPoint <midpoint-bounces at lists.evolveum.com> nimelPavol Mederly <mederly at evolveum.com>
Saadetud: 16. september 2016 11:52
Adressaat: midPoint General Discussion
Teema: Re: [midPoint] Problem closing In remediation certification stage campaign


Or, could you try the following:


Just add the certification-specific authorizations  _without_ specifying object type. These are not applicable to any other type, so it's no security risk. As I looked at the code, it should help.

Pavol Mederly
Software developer
evolveum.com


On 16.09.2016 10:40, Aivo Kuhlberg wrote:

I have created special user who should have access to manage all certification tasks. Unfortunately this user cannot close the certification stage campaign when the campaign is in state 'In remediation'.
I have assigned to user role which has following authorizations:

    <authorization  id="1">
        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#certificationAll</action>
    </authorization>
    <authorization  id="2">
        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#createCertificationCampaign</action>
        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#closeCertificationCampaign</action>
        <object>
            <type>AccessCertificationDefinitionType</type>
        </object>
    </authorization>
    <authorization id="3">
        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#openCertificationCampaignReviewStage</action>
        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#closeCertificationCampaignReviewStage</action>
        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#startCertificationRemediation</action>
        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#closeCertificationCampaign</action>
        <object>
            <type>AccessCertificationCampaignType</type>
        </object>
    </authorization>

Notice that I have set 'closeCertificationCampaign' auth both for 'AccessCertificationDefinitionType' and 'AccessCertificationCampaignType' (wiki says<https://wiki.evolveum.com/display/midPoint/Access+Certification+Security> that this should be set only for 'AccessCertificationCampaignType').
In addition to these authorizations user has role 'Reviewer' assigned.
I have created certification definition and set remediation to 'Manual reconciliation (non-conformant items are reported)'.
After that I created new campaign, started it and closed the stage. Then I started the remediation. So far it works fine but when I want to close the campaing which is now in remediation stage I see following error:
User ''certmanager'' not authorized for operation http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#closeCertificationCampaign


Best Regards,

Aivo kuhlberg

________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint



________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160916/b3a536d2/attachment.htm>