[midPoint] Authorizing access to reports

Pavol Mederly mederly at evolveum.com
Wed Sep 21 10:52:20 CEST 2016 

Aivo, Radovan,


I don't think we have anything like that.


It could be perhaps simulated by creating a recurrent runnable task 
(with the interval of zero meaning it should be triggered manually).

The task would be owned by administrator.

And users would have the rights to "run now" i.e. 
/http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#runTaskImmediately/ 
just for this task.

But it would be perhaps a bit complicated for them, as they would need 
to go to Tasks part of the GUI, find the task and run it. Maybe finding 
the task would not be a big problem, if they would have authorization to 
see only selected tasks, so other ones would be hidden from them. 
However, this would collide with a workaround for MID-3120 
<https://jira.evolveum.com/browse/MID-3120> that you maybe use.


Best regards,

Pavol Mederly
Software developer
evolveum.com

On 15.09.2016 13:55, Radovan Semancik wrote:
> Hi Aivo,
>
> That's right again. The authorization mechanism in midPoint runs quite 
> deep. The report is executed as a task. Owner of that task is the user 
> who executed it. And such task can only access the data that are 
> accessible to the task owner. This is one of the basic "defense in 
> depth" mechanisms that midPoint implements. It may be a security issue 
> if we allow a report to access more data that the user who executes it 
> is allowed to see.
>
> But I see what you need. You maybe want something like a UNIX "suid" 
> mechanism for reports. This can be done in tasks, so it also should 
> work for scheduled reports. But I do no know if we have anything like 
> that for reports that are explicitly executed from the GUI. Maybe one 
> of my colleagues will know.
>
> -- 
> Radovan Semancik
> Software Architect
> evolveum.com
>
>
> On 09/15/2016 01:45 PM, Aivo Kuhlberg wrote:
>>
>> I was too optimistic in my previous mail. In principle reporting 
>> functions now works but when I view the generate reports then the 
>> reported results dependent on the authorization of the user who 
>> generated the report. To save my time figuring out correct 
>> authorizations for each report is it possible to run reports under 
>> other user name who has more rights (eg administrator)?
>>
>> Best Regards,
>> Aivo Kuhlberg
>>
>>
>> ------------------------------------------------------------------------
>> *Saatja:* midPoint <midpoint-bounces at lists.evolveum.com> nimelAivo 
>> Kuhlberg <aivo.kuhlberg at rmit.ee>
>> *Saadetud:* 15. september 2016 13:54
>> *Adressaat:* midPoint General Discussion
>> *Teema:* Re: [midPoint] Authorizing access to reports
>>
>> I think I figured out what my problem was. Seems that there exists 
>> also ReportOutputType. So the following additional authorization 
>> solved my problems:
>>
>> <authorization>
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
>> <object>
>> <type>ReportOutputType</type>
>> </object>
>> </authorization>
>>
>> Best Regards,
>> Aivo Kuhlberg
>>
>> ------------------------------------------------------------------------
>> *Saatja:* midPoint <midpoint-bounces at lists.evolveum.com> nimelAivo 
>> Kuhlberg <aivo.kuhlberg at rmit.ee>
>> *Saadetud:* 15. september 2016 13:40
>> *Adressaat:* midpoint
>> *Teema:* [midPoint] Authorizing access to reports
>>
>> I want to create a role which gives user ability to access reports 
>> section. User should see reports, run them and access the generated 
>> reports. Unfortunately there is not much information found in wiki 
>> about reports authorization. So far I figured out how to give access 
>> to reports section by adding reportsAll GUI authorization. I also 
>> figured out that there exists ReportType object and by adding read 
>> ability to that object I succeeded to run report. Unfortunately I 
>> dont see any created reports. Seems that there is still some 
>> authorization missing. My current authorizations in role are following:
>>
>> <authorization>
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#reportsAll</action>
>> </authorization>
>> <authorization>
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>>   <object>
>> <type>ReportType</type>
>>   </object>
>> </authorization>
>>
>> Best Regards,
>> Aivo Kuhlberg
>>
>>
>> ------------------------------------------------------------------------
>> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks 
>> tunnistatud teavet.
>> This e-mail may contain information which is classified for official 
>> use.
>>
>> ------------------------------------------------------------------------
>> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks 
>> tunnistatud teavet.
>> This e-mail may contain information which is classified for official 
>> use.
>>
>> ------------------------------------------------------------------------
>> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks 
>> tunnistatud teavet.
>> This e-mail may contain information which is classified for official 
>> use.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160921/8afdfa69/attachment.htm>

More information about the midPoint mailing list