[midPoint] User not authorized for operation modify

Oleksandr Nekriach o.nekriach at dynatech.lv
Wed Feb 13 10:29:35 CET 2019


Hi Martin,
Thank you for your response.
I have tried runAsRef and in my case, this workaround does not work.
Also, I have tried turn on security logging but I see the same mesage -
User not authorized for operation modify for initialPasswordProtected
attribute.
If I tried to use in expressions  focus.get... something in another
attribute mapping I will receive the same error message for other
attributes.
I have no idea how to solve this problem.



On Wed, 13 Feb 2019 at 11:18, Martin Lízner - AMI Praha a.s. <
martin.lizner at ami.cz> wrote:

> Hi, I suggest you turn on security logging. This will tell you exact autz
> request that mp is evaluating. Before you turn it on I advice that each
> authorization has its <name>.
>
> com.evolveum.midpoint.security: TRACE
>
> https://wiki.evolveum.com/display/midPoint/Troubleshooting+Authorizations
>
> Also there is a workaround... you can run mapping under superuser using
> runAsRef. But be careful with it.
>
> M.
>
> *Martin Lízner*
> chief solution architect
>
> gsm: [+420] 737 745 571
> e‑mail: martin.lizner at ami.cz
>
> *AMI Praha a.s.*
> Pláničkova 11, 162 00 Praha 6
>
> tel.: [+420] 274 783 239 | web: www.ami.cz
>
> [image: AMI Praha a.s.]
>
> Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
> za společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
> Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může
> obsahovat důvěrné nebo osobní
> informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
> zveřejňování, zprostředkování
> nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail
> neoprávněně, informujte o tom prosím
> odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
> všech jeho příloh. Nakládáním
> s neoprávněně získanými informacemi se vystavujete riziku právního postihu.
>
>
> út 5. 2. 2019 v 15:05 odesílatel Oleksandr Nekriach <
> o.nekriach at dynatech.lv> napsal:
>
>> Hi to all,
>> I have faced with authorization problem and can't understand what is
>> wrong.
>>
>> I have a mapping in an object template that updates custom field
>> initialPasswordProtected and this field is hidden for a creator. But every
>> time when I create a user (creator has a custom role HelpDesk) I have got
>> an error message
>> User not authorized for operation
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
>>
>> There is problem mapping (I have Midpoint version 3.7.2)
>>    <mapping>
>>       <description>Copy initial password</description>
>>       <tolerant>false</tolerant>
>>       <strength>strong</strength>
>>       <expression>
>>          <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>                  xsi:type="c:ScriptExpressionEvaluatorType">
>>             <code>
>>                     if(focus!=null && focus.getCredentials() !=
>> null &&  focus.getCredentials().getPassword() !=null){
>>                     return
>> focus.getCredentials().getPassword().getValue();
>>                     }
>>                 </code>
>>          </script>
>>       </expression>
>>       <target>
>>          <c:path>extension/initialPasswordProtected</c:path>
>>       </target>
>>    </mapping>
>>
>> When I simplified this mapping (see mapping below), everything works
>> fine.
>>
>>    <mapping>
>>       <description>Copy initial password</description>
>>       <tolerant>false</tolerant>
>>       <strength>strong</strength>
>>       <source>
>>          <c:path>credentials/password/value</c:path>
>>       </source>
>>       <target>
>>          <c:path>extension/initialPasswordProtected</c:path>
>>       </target>
>>    </mapping>
>>
>> Helpdesk role has no restriction to modify this attribute in both phases
>> for
>> <action>
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
>> </action>
>> <action>
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add
>> </action>
>> <action>
>> http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify
>> </action>
>>
>> Schema of attribute:
>>    <mapping>
>>       <description>Copy initial password</description>
>>       <tolerant>false</tolerant>
>>       <strength>strong</strength>
>>       <source>
>>          <c:path>credentials/password/value</c:path>
>>       </source>
>>       <target>
>>          <c:path>extension/initialPasswordProtected</c:path>
>>       </target>
>>    </mapping>
>>
>>
>> Please help me to understand what is wrong with authorization.
>> Thank you in advance
>>
>>
>> --
>> Best regards,
>>
>>
>>
>> Oleksandr Nekriach | Identity and access management engineer
>>
>> Dynatech, Jeruzalemes iela 1, Rīga, LV-1010, Latvia
>> <https://www.google.com/maps/place/DYNATECH/@56.9575205,24.1107235,17z/data=!3m1!4b1!4m5!3m4!1s0x46eecf5753e42351:0x23b120b9745cae62!8m2!3d56.9575205!4d24.1129122>
>>
>> +37125314685 <+371%2025%20314%20685>
>> ,
>> o.nekriach at dynatech.lv
>> |
>> www.dynatech.lv
>>
>>
>> Stay connected:
>> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
>> <https://www.linkedin.com/company-beta/17893047/>
>>
>>
>> Confidentiality Notice: This message contains confidential information
>> and is intended only for the named recipient(s). If you are not the
>> addressee you may not copy, distribute or perform any other activities with
>> this information. If you have received this transmission in error, please
>> notify us by e-mail immediately. E-mail transmission cannot be guaranteed
>> to be secure or error-free as information could be intercepted, corrupted,
>> lost, destroyed, arrive late or incomplete, or contain viruses.
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>


-- 
Best regards,



Oleksandr Nekriach | Identity and access management engineer

Dynatech, Jeruzalemes iela 1, Rīga, LV-1010, Latvia
<https://www.google.com/maps/place/DYNATECH/@56.9575205,24.1107235,17z/data=!3m1!4b1!4m5!3m4!1s0x46eecf5753e42351:0x23b120b9745cae62!8m2!3d56.9575205!4d24.1129122>

+37125314685 <+371%2025%20314%20685>
,
o.nekriach at dynatech.lv
|
www.dynatech.lv


Stay connected:
<https://www.facebook.com/DynatechLatvia/?ref=br_rs>
<https://www.linkedin.com/company-beta/17893047/>


Confidentiality Notice: This message contains confidential information and
is intended only for the named recipient(s). If you are not the addressee
you may not copy, distribute or perform any other activities with this
information. If you have received this transmission in error, please notify
us by e-mail immediately. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190213/9690876f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190213/9690876f/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190213/9690876f/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7770
Type: image/png
Size: 4265 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190213/9690876f/attachment-0002.png>


More information about the midPoint mailing list