[midPoint] User not authorized for operation modify

Oleksandr Nekriach o.nekriach at dynatech.lv
Tue Feb 5 15:02:16 CET 2019 

Hi to all,
I have faced with authorization problem and can't understand what is wrong.

I have a mapping in an object template that updates custom field
initialPasswordProtected and this field is hidden for a creator. But every
time when I create a user (creator has a custom role HelpDesk) I have got
an error message
User not authorized for operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify

There is problem mapping (I have Midpoint version 3.7.2)
   <mapping>
      <description>Copy initial password</description>
      <tolerant>false</tolerant>
      <strength>strong</strength>
      <expression>
         <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xsi:type="c:ScriptExpressionEvaluatorType">
            <code>
                    if(focus!=null && focus.getCredentials() !=
null &&  focus.getCredentials().getPassword() !=null){
                    return focus.getCredentials().getPassword().getValue();
                    }
                </code>
         </script>
      </expression>
      <target>
         <c:path>extension/initialPasswordProtected</c:path>
      </target>
   </mapping>

When I simplified this mapping (see mapping below), everything works fine.

   <mapping>
      <description>Copy initial password</description>
      <tolerant>false</tolerant>
      <strength>strong</strength>
      <source>
         <c:path>credentials/password/value</c:path>
      </source>
      <target>
         <c:path>extension/initialPasswordProtected</c:path>
      </target>
   </mapping>

Helpdesk role has no restriction to modify this attribute in both phases
for
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add
</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
</action>

Schema of attribute:
   <mapping>
      <description>Copy initial password</description>
      <tolerant>false</tolerant>
      <strength>strong</strength>
      <source>
         <c:path>credentials/password/value</c:path>
      </source>
      <target>
         <c:path>extension/initialPasswordProtected</c:path>
      </target>
   </mapping>


Please help me to understand what is wrong with authorization.
Thank you in advance


-- 
Best regards,



Oleksandr Nekriach | Identity and access management engineer

Dynatech, Jeruzalemes iela 1, Rīga, LV-1010, Latvia
<https://www.google.com/maps/place/DYNATECH/@56.9575205,24.1107235,17z/data=!3m1!4b1!4m5!3m4!1s0x46eecf5753e42351:0x23b120b9745cae62!8m2!3d56.9575205!4d24.1129122>

+37125314685 <+371%2025%20314%20685>
,
o.nekriach at dynatech.lv
|
www.dynatech.lv


Stay connected:
<https://www.facebook.com/DynatechLatvia/?ref=br_rs>
<https://www.linkedin.com/company-beta/17893047/>


Confidentiality Notice: This message contains confidential information and
is intended only for the named recipient(s). If you are not the addressee
you may not copy, distribute or perform any other activities with this
information. If you have received this transmission in error, please notify
us by e-mail immediately. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190205/568d39e5/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190205/568d39e5/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190205/568d39e5/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7770
Type: image/png
Size: 4265 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190205/568d39e5/attachment-0002.png>

More information about the midPoint mailing list