[midPoint] Authorization assignment target

Sven Lukrafka sven.lukrafka at daasi.de
Wed Feb 19 10:56:18 CET 2020 

Hello,

I'm struggling at the moment to implement targets for assignment
authorizations.


The basic setup is:

- organisation (org1)

- Manager of organisation (MangerOfOrg1)

- User In the organisation (userInOrg)

- Role in organisation (roleInOrg)


MangerOfOrg1 has all authorizations except modifications.

The goal is to allow the manager to only assign those users to roles
where the user and the role are in the organisation he is manager of.


My first guess was:

    <authorization>
        <c:name>AssignAuth</c:name>
       
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
        <c:object>
            <c:type>UserType</c:type>
            <c:orgRelation>
                <c:subjectRelation>org:manager</c:subjectRelation>
            </c:orgRelation>
        </c:object>
        <c:target>
            <c:type>RoleType</c:type>
            <c:orgRelation>
                <c:subjectRelation>org:manager</c:subjectRelation>
            </c:orgRelation>
        </c:target>
    </authorization>


But since in the cases I could find, only users are managed by other
users, it is not possible to reference the orgRelation for RoleType objects.


Another approach could be:

<c:target>
    <c:type>RoleType</c:type>
    <c:roleRelation>
        <c:subjectRelation>org:manager</c:subjectRelation>
    </c:roleRelation>
</c:target>

(With explicit assignment of MangerOfOrg1 with relation manager to
roleInOrg)


Here the relational reference is not including the organisation but the
user has a direct relation to the role.

According to the code this seems not yet implemented.


I also tried a filter like in the documentation but the result in the
log was always :

[MODEL] [pool-3-thread-75] TRACE
(com.evolveum.midpoint.security.enforcer.impl.SecurityEnforcerImpl):  
authorization 'AssignAuth' in
role:f3a9f622-bd1f-426c-8dec-cff5b88e9fd8(ManagerAuthRole) not
applicable for null target


So my question should one of the examples work and I made a mistake in
the configuration, or do you have a better way to achieve the selection
of targets for assignments?


Best regards

Sven Lukrafka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 1769 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200219/a1e77ab4/attachment.key>

More information about the midPoint mailing list