[midPoint] Error 500 when auditRead authorization is restricted to an object

[Frédéric Lohier]

Hello,



I wrote the role below which includes an authorization that allows a user
to read the “History” tab of an organization object. But when the user
assigned to this role is trying to click on the “History” tab of an
organization, I get a 500 error with the log attached basically saying that
the user “is not authorized for operation
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#auditRead
”.



When I remove the restriction <object><type>OrgType</type></object>, then
the authorization works fine.



Is this a bug I should report in Jira? The closest issue I found in Jira is
the MID-5527.



<role>

…

<authorization>

        <name>Audit read authorization for organizations</name>

        <description>

            Authorization to read the history of an organization.

        </description>

        <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#auditRead
</action>

        <object>

            <type>OrgType</type>

        </object>

</authorization>

…

</role>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190724/cda02a82/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: midpoint.log
Type: application/octet-stream
Size: 28652 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190724/cda02a82/attachment.obj>