[midPoint] Organization Authorization
Sebastian Dornieden
Sebastian.Dornieden at comramo.de
Tue Mar 15 10:07:18 CET 2022
Dear MidPoint Community,
i’m fairly new to MidPoint (using 4.4.1) and at this moment i’m stuck with some organization issues where i don’t know if it’s bug or a simple misconfiguration.
I’m trying to setup manager role. The Manager should see his Members, assign Roles to them an setup inducements for his own org unit (Config @bottom)
Problems:
1. Authorization UI Actions doesn’t work like i expected
* http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#orgAll -> works
* http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#orgTree -> works
* http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#orgStruct -> „Org. structure“ completly not visible
* http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#orgUnit -> only „New organization“ in „Org. structure“ visible
2. I experienced strange behaviour in Org tree view (this and the following point is why i’m trying to hide it)
* Assigning a role with a relation (manager) via org tree view in user object is not possible, relation falls back to default in assignment screen (works fine via „All organizations“)
3. Org-Tree view seems buggy when i use inheritance of orgstructures, example:
* Org-Top
* Org-FirstLevel (Assignment to Org-Top, Inducement of Org-Top)
* Org-SecondLevel (Assignment to Org-FirstLevel, Inducement of Org-FirstLevel)
Gives me the following view in Org-Tree:
1. Org-Top
2. Org-FirstLevel
* Org-SecondLevel
3. Org-SecondLevel (but why?)
Removing the inducement gives me the expected view.
I don’t get it. Help needed. 😊
Manager Role Authorization:
<authorization>
<name>gui</name>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#orgAll</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersAll</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminAssign</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#adminUnassign</action>
</authorization>
<authorization>
<name>assignment</name>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</action>
<object>
<type>OrgType</type>
</object>
<orderConstraints>
<orderMin>0</orderMin>
<orderMax>unbounded</orderMax>
</orderConstraints>
</authorization>
<authorization>
<name>autz-read</name>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<orgRelation>
<subjectRelation>org:manager</subjectRelation>
<scope>allDescendants</scope>
<includeReferenceOrg>true</includeReferenceOrg>
</orgRelation>
</object>
<object>
<type>RoleType</type>
<filter>
<q:equal>
<q:path>identifier</q:path>
<q:value>“some string“</q:value>
</q:equal>
</filter>
</object>
</authorization>
<authorization>
<name>autz-write</name>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
<object>
<orgRelation>
<subjectRelation>org:manager</subjectRelation>
</orgRelation>
</object>
</authorization>
<authorization>
<name>autz-shadow</name>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
<object>
<type>ShadowType</type>
<owner>
<orgRelation>
<subjectRelation>org:manager</subjectRelation>
</orgRelation>
</owner>
</object>
</authorization>
Sebastian Dornieden
IT-Administrator
Abteilung Informationstechnologie
COMRAMO AG
Bischofsholer Damm 89
30173 Hannover
Handelsregister: Hannover HRB 56111
Geschäftsführer: Herr Peter Nohr
Mail: Sebastian.Dornieden at comramo.de
Web: www.comramo.de
Hotline der Abteilung Informationstechnologie:
+49 511 12401-767
Diese Information ist ausschließlich für den Adressaten bestimmt und kann vertraulich oder gesetzlich geschützte Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat sind, unterrichten Sie bitte den Absender und vernichten Sie diese Mail. Anderen als dem bestimmungsgemäßen Adressaten ist es untersagt, diese E-Mail zu lesen, zu speichern, weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden.
Diese E-Mail enthält kein Anerkenntnis, dass es sich beim Inhalt dieser E-Mail um eine rechtsverbindliche Erklärung der COMRAMO AG bzw. COMRAMO KID GmbH handelt. Erklärungen, welche die COMRAMO AG bzw. die COMRAMO KID GmbH verpflichten, bedürfen jeweils der Unterschrift der zeichnungsberechtigten Person der COMRAMO AG bzw. der COMRAMO KID GmbH. Die Allgemeinen Geschäftsbedingungen der COMRAMO AG finden Sie auf www.comramo.de und können sie dort als PDF-Datei herunterladen. Bitte beachten Sie unsere Datenschutzhinweise: https://www.comramo.de/datenschutz/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220315/2c181177/attachment-0001.htm>
More information about the midPoint
mailing list