[midPoint] Cascade Authorization

Javier Ignacio Martinez jmartinez at identicum.com
Wed Jan 23 20:59:49 CET 2019 

Hello, We have a question regarding the following issue: We created a role
allowing users to modify 4 specific attributes of any user. There are
authorizations to modify those attribute and access to GUI screens. This
modification triggers a reconcile of the user being modified. Sometimes it
generates authorization errors because of missing permissions to read and
modify shadows and Lookup tables used in mappings in the Object Template.
We were wondering if there is any way to implicitly give all these
"cascade" authorizations to the role without the need to give all of them
one by one.

Here is the xml of the role:

<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:icfs="
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="
http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="
http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
oid="11111111-1111-1111-0002-000000001040" version="1">
<name>Telefonia</name> <authorization id="1"> <decision>allow</decision>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
<object id="2"> <type>UserType</type> </object>
<c:item>telephoneNumber</c:item>
<c:item>extension/metaInternoTelefonia</c:item>
<c:item>extension/metaLoginTelefonia</c:item>
<c:item>extension/metaCodigoPersonal</c:item> </authorization>
<authorization id="3"> <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersAll</action>
</authorization> <authorization> <!-- We had to add these authorizations in
order for it to work --> <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object> <type>LookupTableType</type> </object> </authorization>
<authorization> <!-- We had to add these authorizations in order for it to
work --> <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#search</action>
<object> <type>UserType</type> </object> </authorization> <authorization>
<!-- We had to add these authorizations in order for it to work --> <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
<phase>execution</phase> <object> <type>ShadowType</type> </object>
</authorization> </role>
Thanks in advance!
-- 
Javier Martínez
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190123/40140813/attachment.htm>

More information about the midPoint mailing list