[midPoint] Role Catalog

Pavol Mederly mederly at evolveum.com
Wed Jan 18 21:26:09 CET 2017


Hello Wojciech,

I don't have the possibility to check right now, but from the error 
message you pasted it seems maybe End user has no authority to read 
system configuration object ... so try something like this:

<authorization> 
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action> 
<object> <type>SystemConfigurationType</type> </object> </authorization>

Pavol Mederly
Software developer
evolveum.com

On 18.01.2017 20:42, Wojciech Staszewski wrote:
>
> A log entry is created when End User tries to access Role Catalog (below).
>
> I'm so desperate that I'm reading source code right now, thought I'm 
> not a developer and I understand nothing out of it.
>
> It must be so simple, I don't believe that it's not...
>
> 2017-01-18 20:34:39,702 [] [https-openssl-apr-443-exec-1] ERROR 
> (com.evolveum.midpoint.web.page.self.PageAssignmentShoppingKart): 
> Error getting system configuration: Access denied 
> com.evolveum.midpoint.util.exception.AuthorizationException: Access 
> denied        at 
> com.evolveum.midpoint.model.impl.controller.SchemaTransformer.applySchemasAndSecurityPhase(SchemaTransformer.java:237) 
> ~[model-impl-3.5.jar:na]        at 
> com.evolveum.midpoint.model.impl.controller.SchemaTransformer.applySchemasAndSecurity(SchemaTransformer.java:199) 
> ~[model-impl-3.5.jar:na]        at 
> com.evolveum.midpoint.model.impl.controller.ModelController.getObject(ModelController.java:257) 
> ~[model-impl-3.5.jar:na]        at 
> sun.reflect.GeneratedMethodAccessor498.invoke(Unknown Source) ~[na:na] 
>        at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
> ~[na:1.8.0_112]        at 
> java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_112] 
>        at 
> org.apache.wicket.proxy.LazyInitProxyFactory$JdkHandler.invoke(LazyInitProxyFactory.java:507) 
> ~[wicket-ioc-7.3.0.jar:7.3.0]        at 
> com.sun.proxy.$Proxy160.getObject(Unknown Source) ~[na:na]        at 
> com.evolveum.midpoint.web.page.self.PageAssignmentShoppingKart.getRoleCatalogOid(PageAssignmentShoppingKart.java:81) 
> [classes/:na]        at 
> com.evolveum.midpoint.web.page.self.PageAssignmentShoppingKart.initLayout(PageAssignmentShoppingKart.java:66) 
> [classes/:na]        at 
> com.evolveum.midpoint.web.page.self.PageAssignmentShoppingKart.<init>(PageAssignmentShoppingKart.java:59) 
> [classes/:na]        at 
> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) 
> [na:1.8.0_112]        at 
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) 
> [na:1.8.0_112]        at 
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) 
> [na:1.8.0_112]        at 
> java.lang.reflect.Constructor.newInstance(Constructor.java:423) 
> [na:1.8.0_112]        at 
> org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:175) 
> [wicket-core-7.3.0.jar:7.3.0]        at 
> org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:67) 
> [wicket-core-7.3.0.jar:7.3.0]        at 
> org.apache.wicket.DefaultMapperContext.newPageInstance(DefaultMapperContext.java:102) 
> [wicket-core-7.3.0.jar:7.3.0]        at 
> org.apache.wicket.core.request.handler.PageProvider.resolvePageInstance(PageProvider.java:271) 
> [wicket-core-7.3.0.jar:7.3.0]        at 
> org.apache.wicket.core.request.handler.PageProvider.getPageInstance(PageProvider.java:169) 
> [wicket-core-7.3.0.jar:7.3.0]        at 
> org.apache.wicket.request.handler.render.PageRenderer.getPage(PageRenderer.java:78) 
> [wicket-core-7.3.0.jar:7.3.0]        at 
> org.apache.wicket.request.handler.render.WebPageRenderer.isPageStateless(WebPageRenderer.java:287) 
> [wicket-core-7.3.0.jar:7.3.0]        at 
> org.apache.wicket.request.handler.render.WebPageRenderer.shouldRenderPageAndWriteResponse(WebPageRenderer.java:329) 
> [wicket-core-7.3.0.jar:7.3.0]        at 
> org.apache.wicket.request.handler.render.WebPageRenderer.respond(WebPageRenderer.java:193) 
> [wicket-core-7.3.0.jar:7.3.0]        at 
> org.apache.wicket.core.request.handler.RenderPageRequestHandler.respond(RenderPageRequestHandler.java:175) 
> [wicket-core-7.3.0.jar:7.3.0]        at 
> org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:895) 
> [wicket-core-7.3.0.jar:7.3.0]        at 
> org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64) 
> [wicket-request-7.3.0.jar:7.3.0]        at 
> org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:265) 
> [wicket-core-7.3.0.jar:7.3.0]        at 
> org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:222) 
> [wicket-core-7.3.0.jar:7.3.0]        at 
> org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:293) 
> [wicket-core-7.3.0.jar:7.3.0]        at 
> org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:261) 
> [wicket-core-7.3.0.jar:7.3.0]        at 
> org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203) 
> [wicket-core-7.3.0.jar:7.3.0]        at 
> org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284) 
> [wicket-core-7.3.0.jar:7.3.0]        at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) 
> [catalina.jar:8.5.8]        at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) 
> [catalina.jar:8.5.8]        at 
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:115) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:112) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
> [spring-web-4.2.5.RELEASE.jar:4.2.5.RELEASE]        at 
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:206) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:121) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
> [spring-web-4.2.5.RELEASE.jar:4.2.5.RELEASE]        at 
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:134) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:106) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) 
> [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]        at 
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) 
> [spring-web-4.2.5.RELEASE.jar:4.2.5.RELEASE]        at 
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) 
> [spring-web-4.2.5.RELEASE.jar:4.2.5.RELEASE]        at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) 
> [catalina.jar:8.5.8]        at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) 
> [catalina.jar:8.5.8]        at 
> com.evolveum.midpoint.web.util.MidPointProfilingServletFilter.doFilter(MidPointProfilingServletFilter.java:86) 
> [classes/:na]        at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) 
> [catalina.jar:8.5.8]        at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) 
> [catalina.jar:8.5.8]        at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) 
> [catalina.jar:8.5.8]        at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108) 
> [catalina.jar:8.5.8]        at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) 
> [catalina.jar:8.5.8]        at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) 
> [catalina.jar:8.5.8]        at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) 
> [catalina.jar:8.5.8]        at 
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620) 
> [catalina.jar:8.5.8]        at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) 
> [catalina.jar:8.5.8]        at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349) 
> [catalina.jar:8.5.8]        at 
> org.apache.coyote.http2.StreamProcessor.service(StreamProcessor.java:219) 
> [tomcat-coyote.jar:8.5.8]        at 
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) 
> [tomcat-coyote.jar:8.5.8]        at 
> org.apache.coyote.http2.StreamProcessor.run(StreamProcessor.java:63) 
> [tomcat-coyote.jar:8.5.8]        at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
> [na:1.8.0_112]        at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
> [na:1.8.0_112]        at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) 
> [tomcat-util.jar:8.5.8]        at 
> java.lang.Thread.run(Thread.java:745) [na:1.8.0_112]
>
> Dnia środa, 18 stycznia 2017 09:30:09 CET Wojciech Staszewski pisze:
>
> > Does anybody know what to do to enable role catalog for "end user"? 
> What to add into "end user" role?
>
> > At the moment role catalog is available only for admin.
>
> >
>
> > I have read this 
> https://wiki.evolveum.com/display/midPoint/GUI+Authorizations
>
> > but there is nothing related to roleCatalog.
>
> > End User role contains already read access to "OrgType" and 
> "RoleType", but the RoleCatalog is still unaccessible.
>
> >
>
> > Thanks!
>
> > Regards,
>
> > Wojciech Staszewski
>
> > www.skygge.com
>
> >
>
> > W dniu 16.01.2017 o 09:26, Wojciech Staszewski pisze:
>
> > > Hello!
>
> > >
>
> > > I added section mentioned by Kateryna Honchar (thank you!) into 
> end user role and now the cog menu is visible for end user in SelfService.
>
> > > But I have no idea what I need to add in the end user role to 
> enable Role Catalog view. I tried to search the documentation but I 
> found nothing.
>
> > > I tried also add new authorization section with "RoleCatalog" type 
> but it doesn't work. This is some kind of blindfold work without 
> documentation :(.
>
> > > Someone knows?
>
> > >
>
> > > Thanks, Regards,
>
> > > Wojciech Staszewski
>
> > > www.skygge.com
>
> > >
>
> > > W dniu 15.01.2017 o 22:58, Wojciech Staszewski pisze:
>
> > >> It doesn't work for end user. :(
>
> > >>
>
> > >> I see role catalog (I have Superuser role).
>
> > >> Common user (with MidPoint End user role) can't see it.
>
> > >> And the cog icon with "unassign" option is invisible for end user 
> as well.
>
> > >> ...
>
> > >> Regards,
>
> > >> WS
>
> > >> www.skygge.com
>
> > >>
>
> > >> Dnia niedziela, 15 stycznia 2017 20:55:23 CET Wojciech Staszewski 
> pisze:
>
> > >>> Thanks, now it works!
>
> > >>>
>
> > >>> Regards,
>
> > >>> WS
>
> > >>> www.skygge.com
>
> > >>>
>
> > >>> Dnia niedziela, 15 stycznia 2017 20:06:07 CET Martin Lízner - 
> AMI Praha a.s. pisze:
>
> > >>>> Hi, you point system configuration to your org root. M.
>
> > >>>>
>
> > >>>> <roleManagement>
>
> > >>>> <roleCatalogRef oid="c5914a4c-fb27-48ee-8e10-b1f5af3981fb"
>
> > >>>> type="c:OrgType"/>
>
> > >>>> </roleManagement>
>
> > >>>>
>
> > >>>> Martin Lízner
>
> > >>>> solution architect
>
> > >>>>
>
> > >>>> gsm: [+420] 737 745 571
>
> > >>>> e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>
>
> > >>>>
>
> > >>>>
>
> > >>>> AMI Praha a.s.
>
> > >>>> Pláničkova 11
>
> > >>>> 162 00 Praha 6
>
> > >>>> tel.: [+420] 274 783 239
>
> > >>>> web: www.ami.cz
>
> > >>>>
>
> > >>>>
>
> > >>>>
>
> > >>>> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
>
> > >>>>
>
> > >>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani 
> neuzavírá za
>
> > >>>> společnost AMI Praha a.s.
>
> > >>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí 
> mít výhradně
>
> > >>>> písemnou formu.
>
> > >>>>
>
> > >>>>
>
> > >>>> 2017-01-15 19:59 GMT+01:00 Wojciech Staszewski <
>
> > >>>> wojciech.staszewski at diagnostyka.pl>:
>
> > >>>>
>
> > >>>>> Hello!
>
> > >>>>>
>
> > >>>>> I configured "Role catalog" basing on the example provided by 
> Evolveum.
>
> > >>>>> New organizational tree was created with categories and roles 
> within these
>
> > >>>>> categories.
>
> > >>>>> But I cannot find any example how to connect this catalog to 
> system
>
> > >>>>> configuration XML, so I got error in SelfService:
>
> > >>>>> "Role catalog is not configured in the system configuration xml".
>
> > >>>>>
>
> > >>>>> How to configure "system configuration xml" to enable Role 
> catalog?
>
> > >>>>>
>
> > >>>>> Thanks
>
> > >>>>> Wojciech Staszewski
>
> > >>>>> www.skygge.com
>
> > >>>>> _______________________________________________
>
> > >>>>> midPoint mailing list
>
> > >>>>> midPoint at lists.evolveum.com
>
> > >>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> > >>>>>
>
> > >>>>
>
> > >>>
>
> > >>> _______________________________________________
>
> > >>> midPoint mailing list
>
> > >>> midPoint at lists.evolveum.com
>
> > >>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> > >>>
>
> > >>
>
> > >>
>
> > > _______________________________________________
>
> > > midPoint mailing list
>
> > > midPoint at lists.evolveum.com
>
> > > http://lists.evolveum.com/mailman/listinfo/midpoint
>
> > >
>
> > _______________________________________________
>
> > midPoint mailing list
>
> > midPoint at lists.evolveum.com
>
> > http://lists.evolveum.com/mailman/listinfo/midpoint
>
> >
>
> -- 
>
> Wojciech Staszewski
>
> Administrator Systemów Sieciowych
>
> tel. kom: 663 680 236
>
> www.diagnostyka.pl <http://www.diagnostyka.pl>
>
> Diagnostyka Sp. z o. o.
>
> ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
>
> Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w 
> Krakowie, XI Wydział Gospodarczy KRS)
>
> NIP: 675-12-65-009; REGON: 356366975
>
> Kapitał zakładowy: 33 756 500 zł.
>
> Pomyśl o środowisku zanim wydrukujesz ten e-mail.
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170118/3d9e3eed/attachment.htm>


More information about the midPoint mailing list