[midPoint] Authorization restriction to some certain objects in Assignments window in User profile

Kate Honchar kate.honchar at evolveum.com
Wed Jul 11 11:29:36 CEST 2018


Oleksandr, 
#adminAssign and #adminUnassign authorizations should not be used with target object filter. They are only about displaying/hiding a button. 
Does the user have another roles which probably could give him authorization to assign more roles? 
What if you use just one filter for assignment target object? e.g. use just <authorization id="24"> and disable for a while <authorization id="20">. Is there any effect? 

Best regards 
Kate 

----- Original Message -----

From: "Oleksandr Nekriach" <o.nekriach at dynatech.lv> 
To: "midPoint General Discussion" <midpoint at lists.evolveum.com> 
Sent: Wednesday, July 11, 2018 9:01:53 AM 
Subject: Re: [midPoint] Authorization restriction to some certain objects in Assignments window in User profile 

Hi Kate, 
Of course, I combine #assign #unassign with #adminAssign #adminAssign #adminUnassign 
But It hides unwilling roles from Request role tab and does not hide them from adminAssign window. 

Here is some example 

<authorization id="24"> 
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign </action> 
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign </action> 
<object id="25"> 
<type>UserType</type> 
</object> 
<target id="26"> 
<type>RoleType</type> 
<filter> 
<q:equal> 
<q:path>name</q:path> 
<q:value>End user</q:value> 
</q:equal> 
</filter> 
</target> 
</authorization> 
<authorization id="20"> 
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign </action> 
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign </action> 
<object id="17"> 
<type>UserType</type> 
</object> 
<target id="18"> 
<type>RoleType</type> 
<filter> 
<q:substring> 
<q:path>name</q:path> 
<q:value>Role-</q:value> 
<q:anchorStart>true</q:anchorStart> 
</q:substring> 
</filter> 
</target> 
</authorization> 

On 11 July 2018 at 00:12, Kate Honchar < kate.honchar at evolveum.com > wrote: 



Oleksandr, hi 
The authorizations you use are really about GUI part, so they control either user sees plus button to assign new assignment (and minus button to unassign) or not. 
To control the list of target objects for the new assignment, please, use the authorization 
< action > http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign </ action > 

To give right for the unassigning operation, pls, use 
< action > http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign </ action > 

Best regards. 
Kate. 

From: "Oleksandr Nekriach" < o.nekriach at dynatech.lv > 
To: "midPoint General Discussion" < midpoint at lists.evolveum.com > 
Sent: Tuesday, July 10, 2018 3:29:41 PM 
Subject: Re: [midPoint] Authorization restriction to some certain objects in Assignments window in User profile 


I am toking about the green "plus" icon button on Assignment tab in User profile which opens "Select object window". I am trying to restrict list of Roles which are available for assignment in this window. 
In the first case I see the button and see all Roles. 
In the second case the button disappears after applying any filter. 




On 10 July 2018 at 15:52, Ivan Noris < ivan.noris at evolveum.com > wrote: 

<blockquote>



Can you attach a portion of screen so that I know what exactly is missing? I would say this would be some missing gui authorization, but I would like to see the screenshot with indication what is missing. 




Thank you! 

Ivan 

On 10.07.2018 10:06, Oleksandr Nekriach wrote: 

<blockquote>

Ivan, 
When I add some target section with filter adminAssign button disappear. 
Do you have some working example to understand what I am doing in a wrong way? 

See the button but also see the all roles 
<authorization> 
<name>AssignGUI</name> 
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssign </action> 
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign </action> 
<description>Assign/unassign in admin GUI (role profile)</description> 
<object> 
<type>UserType</type> 
</object> 
</authorization> 


Don't see button at all 

<authorization> 
<name>AssignGUI</name> 
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssign </action> 
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign </action> 
<description>Assign/unassign in admin GUI (role profile)</description> 
<object> 
<type>UserType</type> 
</object> 
<target> 
<filter> 
<q:type> 
<q:type>c:RoleType</q:type> 
<q:filter> 
<q:substring> 
<q:matching>polyStringNorm</q:matching> 
<q:path>name</q:path> 
<q:value>Role</q:value> 
<q:anchorStart>true</q:anchorStart> 
</q:substring> 
</q:filter> 
</q:type> 
</filter> 
</target> 
</authorization> 




On 10 July 2018 at 09:22, Oleksandr Nekriach < o.nekriach at dynatech.lv > wrote: 

<blockquote>

Hi Ivan, thank you. 

On 9 July 2018 at 22:08, Ivan Noris < ivan.noris at evolveum.com > wrote: 

<blockquote>



Hi Oleksandr, 

please see the referenced jira issue with example that I reported earlier and was fixed meanwhile. 

https://jira.evolveum.com/browse/MID-3615 

Maybe you're only missing the q:matching element. Or target; as assign/unassign are target-aware. 


Best regards, 

Ivan 

On 06.07.2018 13:54, Oleksandr Nekriach wrote: 

<blockquote>

Hello, 
I am stuck. Is it possible to restrict access to some certain objects only (role with Role- prefix only e.g) in Assignments window in User profile . 
Something like this but this example does not work. 

<authorization> 
<name>AssignGUI</name> 
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssign </action> 
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign </action> 
<description>Assign/unassign in admin GUI (role profile)</description> 
<c:object> 
<c:type>RoleType</c:type> 
</c:object> 
<filter> 
<q:substring> 
<q:path>name</q:path> 
<q:value>Role-</q:value> 
<q:anchorStart>true</q:anchorStart> 
</q:substring> 
</filter> 
</authorization> 





-- 
Best regards, 



Oleksandr Nekriach | Identity and access management engineer 

Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia 

+37125314685 
, 
o.nekriach at dynatech.lv 
| 
www.dynatech.lv 


Stay connected: 


Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. 


_______________________________________________
midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint 



-- 
Ivan Noris
Senior Identity Engineer evolveum.com 

_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 


</blockquote>




-- 
Best regards, 



Oleksandr Nekriach | Identity and access management engineer 

Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia 

+37125314685 
, 
o.nekriach at dynatech.lv 
| 
www.dynatech.lv 


Stay connected: 


Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. 

</blockquote>




-- 
Best regards, 



Oleksandr Nekriach | Identity and access management engineer 

Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia 

+37125314685 
, 
o.nekriach at dynatech.lv 
| 
www.dynatech.lv 


Stay connected: 


Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. 


_______________________________________________
midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint 

</blockquote>

-- 
Ivan Noris
Senior Identity Engineer evolveum.com 

_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 


</blockquote>




-- 
Best regards, 



Oleksandr Nekriach | Identity and access management engineer 

Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia 

+37125314685 
, 
o.nekriach at dynatech.lv 
| 
www.dynatech.lv 


Stay connected: 


Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. 

_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 


_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 


</blockquote>




-- 
Best regards, 



Oleksandr Nekriach | Identity and access management engineer 

Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia 

+37125314685 
, 
o.nekriach at dynatech.lv 
| 
www.dynatech.lv 


Stay connected: 


Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. 

_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180711/f291914a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 55402 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180711/f291914a/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7770
Type: image/png
Size: 4265 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180711/f291914a/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180711/f291914a/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180711/f291914a/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7770
Type: image/png
Size: 4265 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180711/f291914a/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180711/f291914a/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180711/f291914a/attachment-0006.png>


More information about the midPoint mailing list