[midPoint] Authorizations not being inherited
Martin Marchese
mmarchese at identicum.com
Tue Jan 10 14:08:10 CET 2017
Thanks Pavol for your answer. I just created a JIRA for this.
*Ing. Martín Marchese*
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
mmarchese at identicum.com
www.identicum.com
On Mon, Jan 9, 2017 at 10:45 AM, Pavol Mederly <mederly at evolveum.com> wrote:
> Well... to be more precise: focusType check at that line expects that the
> focus type is present in LensContext. But, for the purpose of evaluation of
> user assignments during login, the focus type in LensContext is not
> filled-in.
>
> Please write the JIRA and we'll fix that.
>
> Pavol Mederly
> Software developerevolveum.com
>
> On 09.01.2017 14:41, Pavol Mederly wrote:
>
> Martin,
>
> I've played with your case for a while and it seems that
> *<focusType>UserType</focusType>* is the problem. After removing it, the
> authorizations are propagated correctly.
>
> I'm not sure why it is so; as it should work, as far as I know. I suspect
> a bug at AssignmentEvaluator:682, but I'm not sure.
>
> Maybe you could file a JIRA for this.
>
> Pavol Mederly
> Software developerevolveum.com
>
> On 03.01.2017 19:10, Martin Marchese wrote:
>
> Hi All,
>
> Within our MidPoint 3.5 deployment, we have created an Org Structure which
> induces a role to users.
>
> This role, contains all kind of authorizations for users (REST acccess,
> GUI access, etc).
>
> Once the organization is assigned to a user, it gets the role assigned but
> not the authorizations. However, if we assign the role directly to the
> user, all the authorizations are assigned OK.
>
> I was wondering if there is not any kind of order for authorizations (as
> it is for inducements). Or anything that we might be missing in our objects?
>
> Below, I send the examples of how our Org and Role look like:
>
>
> Org:
> -----
> <org oid="00000000-0000-1de4-0009-000000000001">
> <name>MEGC</name>
> ...
> <inducement id="6">
> <targetRef oid="00000000-0000-1de4-0003-000000000001"
> type="RoleType"></targetRef>
> <orderConstraint>
> <orderMax>unbounded</orderMax>
> </orderConstraint>
> <focusType>UserType</focusType>
> </inducement>
> ...
> </org>
>
> Role:
> -------
>
> <role oid="00000000-0000-1de4-0003-000000000001"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
> <name>MidPoint Custom User</name>
> <roleType>APPLICATION</roleType>
> <authorization>
> <description>Permisos GUI</description>
> <action>http://midpoint.evolveum.com/xml/ns/public/
> security/authorization-ui-3#selfDashboard</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/
> security/authorization-ui-3#selfCredentials</action>
> </authorization>
> ...
> </role>
>
> Thanks in Advance
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> mmarchese at identicum.com
> www.identicum.com
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170110/4717d432/attachment.htm>
More information about the midPoint
mailing list