[midPoint] Authorizations not being inherited

Pavol Mederly mederly at evolveum.com
Mon Jan 9 14:45:37 CET 2017 

Well... to be more precise: focusType check at that line expects that 
the focus type is present in LensContext. But, for the purpose of 
evaluation of user assignments during login, the focus type in 
LensContext is not filled-in.

Please write the JIRA and we'll fix that.

Pavol Mederly
Software developer
evolveum.com

On 09.01.2017 14:41, Pavol Mederly wrote:
>
> Martin,
>
> I've played with your case for a while and it seems that 
> *<focusType>UserType</focusType>* is the problem. After removing it, 
> the authorizations are propagated correctly.
>
> I'm not sure why it is so; as it should work, as far as I know. I 
> suspect a bug at AssignmentEvaluator:682, but I'm not sure.
>
> Maybe you could file a JIRA for this.
>
> Pavol Mederly
> Software developer
> evolveum.com
> On 03.01.2017 19:10, Martin Marchese wrote:
>> Hi All,
>>
>> Within our MidPoint 3.5 deployment, we have created an Org Structure 
>> which induces a role to users.
>>
>> This role, contains all kind of authorizations for users (REST 
>> acccess, GUI access, etc).
>>
>> Once the organization is assigned to a user, it gets the role 
>> assigned but not the authorizations. However, if we assign the role 
>> directly to the user, all the authorizations are assigned OK.
>>
>> I was wondering if there is not any kind of order for authorizations 
>> (as it is for inducements). Or anything that we might be missing in 
>> our objects?
>>
>> Below, I send the examples of how our Org and Role look like:
>>
>>
>> Org:
>> -----
>> <org oid="00000000-0000-1de4-0009-000000000001">
>>    <name>MEGC</name>
>> ...
>>     <inducement id="6">
>>       <targetRef oid="00000000-0000-1de4-0003-000000000001" 
>> type="RoleType"></targetRef>
>>       <orderConstraint>
>>         <orderMax>unbounded</orderMax>
>>       </orderConstraint>
>>       <focusType>UserType</focusType>
>>      </inducement>
>> ...
>> </org>
>>
>> Role:
>> -------
>>
>> <role oid="00000000-0000-1de4-0003-000000000001"
>>       
>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"> 
>>   <name>MidPoint Custom User</name>
>>   <roleType>APPLICATION</roleType>
>> <authorization>
>> <description>Permisos GUI</description>
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfDashboard</action>
>> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfCredentials</action>
>> </authorization>
>> ...
>> </role>
>>
>> Thanks in Advance
>>
>> *Ing. Martín Marchese*
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050
>> mmarchese at identicum.com <mailto:mmarchese at identicum.com>
>> www.identicum.com <http://www.identicum.com>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170109/e635ca67/attachment.htm>

More information about the midPoint mailing list