[midPoint] Raw Operation Authorization and Reports
Brandon Powers
brandon at exclamationlabs.com
Thu Oct 4 19:50:29 CEST 2018
Hi all,
A newer RAW OPERATION authorization was added to midPoint in version 3.7 (
https://wiki.evolveum.com/display/midPoint/Authorization+Configuration).
We are working on upgrading from 3.6 up to 3.8 and encountered an issue
with this authorization in regards to reports. It seems this authorization
is required to run reports (or to execute the queries for these reports)
for object types used in the report.
We have some custom reports, but also found the same issue with stock
midPoint reports, such as "Users in MidPoint". When executing these
reports with a user of limited authorizations (not having the rawOperation
auth for security purposes as documented in wiki), the report fails and the
following error is logged for the task:
1000000000000028753
ReportCreateTaskHandler.run
FATAL_ERROR
com.evolveum.midpoint.util.exception.AuthorizationException: User
''<username-redacted>'' not authorized for operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#rawOperation
on user:42231112-3639-4a8d-bf86-16b1958deecf(<username-redacted>)
Is this a core bug or report configuration bug? Anyway around this without
having to grant the rawOperation authorization to these users?
For reference, I found this authorization is being checked
in com.evolveum.midpoint.model.impl.controller.SchemaTransformer
:: authorizeOptions method
Any advice is appreciated.
Thanks,
Brandon
--
Brandon Powers
Exclamation Labs
300 Washington Street
Cumberland, MD 21502
888.545.5008 or 301.722.5008 ext 144
fax 301.722.2183
brandon at exclamationlabs.com
www.exclamationlabs.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181004/659d7295/attachment.htm>
More information about the midPoint
mailing list