[midPoint] Authorizations with orgRelations show an unexpected behavior
iam-mailing at tk.de
iam-mailing at tk.de
Tue Mar 10 10:04:57 CET 2020
Hello,
we struggled to configure the right authorization with an orgRelation tag. In our scenario, we have many different custom relations to model our different responsibilities for org units. For example we have the responsibility to set reset passwords of members of a specified org unit. The password resetter is not a part of this org unit. The password resetter has a special relation (managerPWR) which has the kind manager.
Relation:
<relation>
<ref xmlns:custom="http://example.com/xml/ns/midpoint/relation"> custom:managerPWR</ref>
<description>resets passwords</description>
<display>
<label>password resetter</label>
</display>
<category>organization</category>
<category>administration</category>
<kind>manager</kind>
</relation>
We wanted to build an authorization that allows the person which has the org unit with the relation managerPWR assigned, to read all users in this org unit.
Therefore we build the following authorization:
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>UserType</type>
<orgRelation>
<subjectRelation xmlns:custom="http://example.com/xml/ns/midpoint/relation">custom:managerDSL</subjectRelation>
<scope>allDescendants</scope>
<includeReferenceOrg>true</includeReferenceOrg>
</orgRelation>
</object>
<c:item>name</c:item>
<c:item>fullName</c:item>
<c:item>linkRef</c:item>
<c:item>personaRef</c:item>
</authorization>
The problem we encountered was that the SecurityEnforcerImpl is not looking for every org unit which is assigned to the subject but to all org units which are set as parentOrgRef. Relations of the kind manager will not be set as parentOrgRef.
We discovered the <storedIntoParentOrgRef>true</storedIntoParentOrgRef> option which can be set in the relation definition and this will add the org unit as an parentOrgRef even if is not of the kind member. But this introduces a lot more problems. Midpoint interprets the parentOrgRef in a way that a user is part of the organization, for example in isChildOf(String oid) queries. Therefore the user which has the authorization assigned and is assigned to the org as an password resetter will also have the authorization for all password resetters and for himself.
The final question we have: Why does the <subjectRelation> only evaluates parentOrgRefs? We have the common use case, that somebody has a specific responsibility for an org unit but is not an actual member. Is there a solution we are missing? Is there any plan to change this behaviour in the future? I think the <subjectRelation> would be far more useful if it would work on every kind of relation. In the way it is designed right now it should also not work for approvers, owners etc.
I would be really glad if somebody can give us some information or a hint how we could address this problem.
Thanks in advance
Emil Militzer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200310/138af924/attachment.htm>
More information about the midPoint
mailing list