[midPoint] Authorization : read roles assigned with approver relation
Frédéric Lohier
frederic at lohier.org
Tue Oct 19 11:53:26 CEST 2021
Hello,
I am trying to write an authorization to authorize a user to read all the
roles which are assigned to him with a relation « approver » on Midpoint
4.3.1 .
I tried first to use the <roleRelation > in the <object> (cf. below), but
with the <enforcementStrategy>maySkipOnSearch</enforcementStrategy>, I get
nothing (« all roles » search is empty) and without it I get the error
« cannot count objects » during the operations
operation.com.evolveum.midpoint.web.component.data.SelectableBeanContainerDataProvider.countObjects
and operation.com.evolveum.midpoint.model.api.ModelService.countObjects
with « java error java.lang.UnsupportedOperationException: Inefficient
roleRelation search (includeReferenceRole=true) is not supported yet at
com.evolveum.midpoint.security.enforcer.impl.SecurityEnforcerImpl.processRoleRelationFilter(SecurityEnforcerImpl.java:1909)
».
And if I remove <includeReferenceRole>true</includeReferenceRole>, the
« all roles » search is empty again.
This issue seems to relate to this JIRA issue :
https://jira.evolveum.com/browse/MID-6359 .
<authorization>
<name>Roles items read authorizations</name>
<description>Authorization to read roles which are assigned to the user
with approver relation</description>
<action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
</action>
<enforcementStrategy>maySkipOnSearch</enforcementStrategy>
<object>
<type>RoleType</type>
<roleRelation>
<subjectRelation>org:approver</subjectRelation>
<includeMembers>false</includeMembers>
<includeReferenceRole>true</includeReferenceRole>
</roleRelation>
</object>
</authorization>
I was able to workaround this with the following authorization using the
inOid filter :
<authorization>
<name>Roles items read authorizations</name>
<description>Authorization to read roles which are assigned to the
user with approver relation</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>RoleType</type>
<filter>
<q:inOid>
<expression>
<script>
<code>
roleOids = []
// construction of the list of Roles OIDs
which the user can read
// for each user assignment
for (int it = 0; it <
actor.assignment.targetRef.size(); it++) {
// if the assignment/role has an
approver relation, add the role oid to the list
if
(actor.assignment.targetRef[it].relation.toString().contains("approver")){
roleOid =
actor.assignment[it].targetRef.getOid()
roleOids.add(roleOid)
}
}
return roleOids
</code>
</script>
</expression>
</q:inOid>
</filter>
</object>
</authorization>
This works but feels a little bit hacky to me. Is there a better approach?
-Frederic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20211019/13aad27d/attachment-0001.htm>
More information about the midPoint
mailing list