[midPoint] Raw Operation Authorization and Reports
radovan.semancik at evolveum.com
Tue Oct 9 17:13:04 CEST 2018
GUI should use raw operations only when dealing with raw XML data. All
other operations should be regular (non-raw) ones. Therefore if GUI is
using raw operation to work with reports it is indeed a core bug.
On 10/04/2018 07:50 PM, Brandon Powers wrote:
> Hi all,
> A newer RAW OPERATION authorization was added to midPoint in version
> We are working on upgrading from 3.6 up to 3.8 and encountered an
> issue with this authorization in regards to reports. It seems this
> authorization is required to run reports (or to execute the queries
> for these reports) for object types used in the report.
> We have some custom reports, but also found the same issue with stock
> midPoint reports, such as "Users in MidPoint". When executing these
> reports with a user of limited authorizations (not having the
> rawOperation auth for security purposes as documented in wiki), the
> report fails and the following error is logged for the task:
> com.evolveum.midpoint.util.exception.AuthorizationException: User
> ''<username-redacted>'' not authorized for operation
> on user:42231112-3639-4a8d-bf86-16b1958deecf(<username-redacted>)
> Is this a core bug or report configuration bug? Anyway around this
> without having to grant the rawOperation authorization to these users?
> For reference, I found this authorization is being checked
> in com.evolveum.midpoint.model.impl.controller.SchemaTransformer
> :: authorizeOptions method
> Any advice is appreciated.
> Brandon Powers
> Exclamation Labs
> 300 Washington Street
> Cumberland, MD 21502
> 888.545.5008 or 301.722.5008 ext 144
> fax 301.722.2183
> brandon at exclamationlabs.com
> midPoint mailing list
> midPoint at lists.evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the midPoint