[midPoint] User not authorized for operation modify

Martin Lízner - AMI Praha a.s. martin.lizner at ami.cz
Wed Feb 13 10:14:06 CET 2019


Hi, I suggest you turn on security logging. This will tell you exact autz
request that mp is evaluating. Before you turn it on I advice that each
authorization has its <name>.

com.evolveum.midpoint.security: TRACE

https://wiki.evolveum.com/display/midPoint/Troubleshooting+Authorizations

Also there is a workaround... you can run mapping under superuser using
runAsRef. But be careful with it.

M.

*Martin Lízner*
chief solution architect

gsm: [+420] 737 745 571
e‑mail: martin.lizner at ami.cz

*AMI Praha a.s.*
Pláničkova 11, 162 00 Praha 6

tel.: [+420] 274 783 239 | web: www.ami.cz

[image: AMI Praha a.s.]

Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.

Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat
důvěrné nebo osobní
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně,
informujte o tom prosím
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
všech jeho příloh. Nakládáním
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.


út 5. 2. 2019 v 15:05 odesílatel Oleksandr Nekriach <o.nekriach at dynatech.lv>
napsal:

> Hi to all,
> I have faced with authorization problem and can't understand what is wrong.
>
> I have a mapping in an object template that updates custom field
> initialPasswordProtected and this field is hidden for a creator. But every
> time when I create a user (creator has a custom role HelpDesk) I have got
> an error message
> User not authorized for operation
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
>
> There is problem mapping (I have Midpoint version 3.7.2)
>    <mapping>
>       <description>Copy initial password</description>
>       <tolerant>false</tolerant>
>       <strength>strong</strength>
>       <expression>
>          <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                  xsi:type="c:ScriptExpressionEvaluatorType">
>             <code>
>                     if(focus!=null && focus.getCredentials() !=
> null &&  focus.getCredentials().getPassword() !=null){
>                     return focus.getCredentials().getPassword().getValue();
>                     }
>                 </code>
>          </script>
>       </expression>
>       <target>
>          <c:path>extension/initialPasswordProtected</c:path>
>       </target>
>    </mapping>
>
> When I simplified this mapping (see mapping below), everything works fine.
>
>    <mapping>
>       <description>Copy initial password</description>
>       <tolerant>false</tolerant>
>       <strength>strong</strength>
>       <source>
>          <c:path>credentials/password/value</c:path>
>       </source>
>       <target>
>          <c:path>extension/initialPasswordProtected</c:path>
>       </target>
>    </mapping>
>
> Helpdesk role has no restriction to modify this attribute in both phases
> for
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
> </action>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add
> </action>
> <action>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
> </action>
>
> Schema of attribute:
>    <mapping>
>       <description>Copy initial password</description>
>       <tolerant>false</tolerant>
>       <strength>strong</strength>
>       <source>
>          <c:path>credentials/password/value</c:path>
>       </source>
>       <target>
>          <c:path>extension/initialPasswordProtected</c:path>
>       </target>
>    </mapping>
>
>
> Please help me to understand what is wrong with authorization.
> Thank you in advance
>
>
> --
> Best regards,
>
>
>
> Oleksandr Nekriach | Identity and access management engineer
>
> Dynatech, Jeruzalemes iela 1, Rīga, LV-1010, Latvia
> <https://www.google.com/maps/place/DYNATECH/@56.9575205,24.1107235,17z/data=!3m1!4b1!4m5!3m4!1s0x46eecf5753e42351:0x23b120b9745cae62!8m2!3d56.9575205!4d24.1129122>
>
> +37125314685 <+371%2025%20314%20685>
> ,
> o.nekriach at dynatech.lv
> |
> www.dynatech.lv
>
>
> Stay connected:
> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
> <https://www.linkedin.com/company-beta/17893047/>
>
>
> Confidentiality Notice: This message contains confidential information and
> is intended only for the named recipient(s). If you are not the addressee
> you may not copy, distribute or perform any other activities with this
> information. If you have received this transmission in error, please notify
> us by e-mail immediately. E-mail transmission cannot be guaranteed to be
> secure or error-free as information could be intercepted, corrupted, lost,
> destroyed, arrive late or incomplete, or contain viruses.
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190213/f40f9618/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190213/f40f9618/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190213/f40f9618/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7770
Type: image/png
Size: 4265 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190213/f40f9618/attachment-0002.png>


More information about the midPoint mailing list