[midPoint] Authorization restriction to some certain objects in Assignments window in User profile
Kate Honchar
kate.honchar at evolveum.com
Wed Jul 11 11:29:36 CEST 2018
Oleksandr,
#adminAssign and #adminUnassign authorizations should not be used with target object filter. They are only about displaying/hiding a button.
Does the user have another roles which probably could give him authorization to assign more roles?
What if you use just one filter for assignment target object? e.g. use just <authorization id="24"> and disable for a while <authorization id="20">. Is there any effect?
Best regards
Kate
----- Original Message -----
From: "Oleksandr Nekriach" <o.nekriach at dynatech.lv>
To: "midPoint General Discussion" <midpoint at lists.evolveum.com>
Sent: Wednesday, July 11, 2018 9:01:53 AM
Subject: Re: [midPoint] Authorization restriction to some certain objects in Assignments window in User profile
Hi Kate,
Of course, I combine #assign #unassign with #adminAssign #adminAssign #adminUnassign
But It hides unwilling roles from Request role tab and does not hide them from adminAssign window.
Here is some example
<authorization id="24">
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign </action>
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign </action>
<object id="25">
<type>UserType</type>
</object>
<target id="26">
<type>RoleType</type>
<filter>
<q:equal>
<q:path>name</q:path>
<q:value>End user</q:value>
</q:equal>
</filter>
</target>
</authorization>
<authorization id="20">
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign </action>
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign </action>
<object id="17">
<type>UserType</type>
</object>
<target id="18">
<type>RoleType</type>
<filter>
<q:substring>
<q:path>name</q:path>
<q:value>Role-</q:value>
<q:anchorStart>true</q:anchorStart>
</q:substring>
</filter>
</target>
</authorization>
On 11 July 2018 at 00:12, Kate Honchar < kate.honchar at evolveum.com > wrote:
Oleksandr, hi
The authorizations you use are really about GUI part, so they control either user sees plus button to assign new assignment (and minus button to unassign) or not.
To control the list of target objects for the new assignment, please, use the authorization
< action > http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign </ action >
To give right for the unassigning operation, pls, use
< action > http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign </ action >
Best regards.
Kate.
From: "Oleksandr Nekriach" < o.nekriach at dynatech.lv >
To: "midPoint General Discussion" < midpoint at lists.evolveum.com >
Sent: Tuesday, July 10, 2018 3:29:41 PM
Subject: Re: [midPoint] Authorization restriction to some certain objects in Assignments window in User profile
I am toking about the green "plus" icon button on Assignment tab in User profile which opens "Select object window". I am trying to restrict list of Roles which are available for assignment in this window.
In the first case I see the button and see all Roles.
In the second case the button disappears after applying any filter.
On 10 July 2018 at 15:52, Ivan Noris < ivan.noris at evolveum.com > wrote:
<blockquote>
Can you attach a portion of screen so that I know what exactly is missing? I would say this would be some missing gui authorization, but I would like to see the screenshot with indication what is missing.
Thank you!
Ivan
On 10.07.2018 10:06, Oleksandr Nekriach wrote:
<blockquote>
Ivan,
When I add some target section with filter adminAssign button disappear.
Do you have some working example to understand what I am doing in a wrong way?
See the button but also see the all roles
<authorization>
<name>AssignGUI</name>
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssign </action>
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign </action>
<description>Assign/unassign in admin GUI (role profile)</description>
<object>
<type>UserType</type>
</object>
</authorization>
Don't see button at all
<authorization>
<name>AssignGUI</name>
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssign </action>
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign </action>
<description>Assign/unassign in admin GUI (role profile)</description>
<object>
<type>UserType</type>
</object>
<target>
<filter>
<q:type>
<q:type>c:RoleType</q:type>
<q:filter>
<q:substring>
<q:matching>polyStringNorm</q:matching>
<q:path>name</q:path>
<q:value>Role</q:value>
<q:anchorStart>true</q:anchorStart>
</q:substring>
</q:filter>
</q:type>
</filter>
</target>
</authorization>
On 10 July 2018 at 09:22, Oleksandr Nekriach < o.nekriach at dynatech.lv > wrote:
<blockquote>
Hi Ivan, thank you.
On 9 July 2018 at 22:08, Ivan Noris < ivan.noris at evolveum.com > wrote:
<blockquote>
Hi Oleksandr,
please see the referenced jira issue with example that I reported earlier and was fixed meanwhile.
https://jira.evolveum.com/browse/MID-3615
Maybe you're only missing the q:matching element. Or target; as assign/unassign are target-aware.
Best regards,
Ivan
On 06.07.2018 13:54, Oleksandr Nekriach wrote:
<blockquote>
Hello,
I am stuck. Is it possible to restrict access to some certain objects only (role with Role- prefix only e.g) in Assignments window in User profile .
Something like this but this example does not work.
<authorization>
<name>AssignGUI</name>
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssign </action>
<action> http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign </action>
<description>Assign/unassign in admin GUI (role profile)</description>
<c:object>
<c:type>RoleType</c:type>
</c:object>
<filter>
<q:substring>
<q:path>name</q:path>
<q:value>Role-</q:value>
<q:anchorStart>true</q:anchorStart>
</q:substring>
</filter>
</authorization>
--
Best regards,
Oleksandr Nekriach | Identity and access management engineer
Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
+37125314685
,
o.nekriach at dynatech.lv
|
www.dynatech.lv
Stay connected:
Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
_______________________________________________
midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer evolveum.com
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
</blockquote>
--
Best regards,
Oleksandr Nekriach | Identity and access management engineer
Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
+37125314685
,
o.nekriach at dynatech.lv
|
www.dynatech.lv
Stay connected:
Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
</blockquote>
--
Best regards,
Oleksandr Nekriach | Identity and access management engineer
Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
+37125314685
,
o.nekriach at dynatech.lv
|
www.dynatech.lv
Stay connected:
Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
_______________________________________________
midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint
</blockquote>
--
Ivan Noris
Senior Identity Engineer evolveum.com
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
</blockquote>
--
Best regards,
Oleksandr Nekriach | Identity and access management engineer
Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
+37125314685
,
o.nekriach at dynatech.lv
|
www.dynatech.lv
Stay connected:
Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
</blockquote>
--
Best regards,
Oleksandr Nekriach | Identity and access management engineer
Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
+37125314685
,
o.nekriach at dynatech.lv
|
www.dynatech.lv
Stay connected:
Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180711/f291914a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 55402 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180711/f291914a/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7770
Type: image/png
Size: 4265 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180711/f291914a/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180711/f291914a/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180711/f291914a/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7770
Type: image/png
Size: 4265 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180711/f291914a/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180711/f291914a/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180711/f291914a/attachment-0006.png>
More information about the midPoint
mailing list