[midPoint] query issue/confusion

Ivan Noris ivan.noris at evolveum.com
Wed Apr 9 15:08:59 CEST 2025 

Hi Markus,

yes, you basically need to make your preference: either your users will 
have ability to search Users, or you can give the expressions 
authorizations to be executed as administrators (as in this case).

If your end users are not able to update those expressions or provide 
their own custom inputs to it, it should be quite OK to run the 
expressions as privileged. You can create a different midPoint user to 
run the expressions - e.g. with #read (implies #get + #search; see [1]) 
authorization for all UserType  objects and nothing more. It should be 
also more visible in the audit log.

Best regards,

Ivan

[1] 
https://docs.evolveum.com/midpoint/reference/support-4.9/security/authorization/configuration/#read-get-and-search

On 9. 4. 2025 14:35, Markus Calmius via midPoint wrote:
> Hi Ivan,
>
> thank you!
> This was driving me nuts, I should have thought about the permissions...
> I'll see if we can add that specific permissions, or if we run this part privileged as your example.
>
> Thanks again!
> Markus
>
> On Wednesday, 9 April 2025 at 12:27, midpoint-request at lists.evolveum.com <midpoint-request at lists.evolveum.com> wrote:
>
>> Send midPoint mailing list submissions to
>> midpoint at lists.evolveum.com
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>> or, via email, send a message with subject or body 'help' to
>> midpoint-request at lists.evolveum.com
>>
>> You can reach the person managing the list at
>> midpoint-owner at lists.evolveum.com
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of midPoint digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Re: query issue/confusion (Ivan Noris)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Wed, 9 Apr 2025 12:27:33 +0200
>> From: Ivan Noris ivan.noris at evolveum.com
>>
>> To: midpoint at lists.evolveum.com
>> Subject: Re: [midPoint] query issue/confusion
>> Message-ID: 9fda7e51-619d-4937-8c3f-57710df4fc7c at evolveum.com
>>
>> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>>
>> Hi Markus,
>>
>> I tried the very first example:
>>
>> queryFor = "assignment/targetRef matches (
>> oid='7a0cc3de-1cc6-4f62-ad4f-56f8c24cb26d' and targetType=UserType and
>> relation=deputy)" uQuery = midpoint.queryFor(UserType.class, queryFor)
>> ceoDelegatedTo = midpoint.searchObjects(uQuery) log.info("XXX
>> ceoDelegatedTo = {}", ceoDelegatedTo)
>>
>> My approver (with the oid above) has delegated to administrator and
>> security-officer1 users.
>>
>> I used the query and expressions in assignee notification for work
>> items, in expressionFilter.
>>
>> When I requested for myself (non-privileged user), I had the same issue
>> as you, ceoDelegatedTo returning an empty list.
>>
>> midpoint-server-1? | 2025-04-09 10:12:53,035 [MODEL]
>> [http-nio-8080-exec-6] INFO (com.evolveum.midpoint.expression): XXX
>> woitem-notifier-workitem-assignee: ceoDelegatedTo = []
>> midpoint-server-1? | 2025-04-09 10:12:53,042 [MODEL]
>> [http-nio-8080-exec-6] INFO (com.evolveum.midpoint.expression): XXX
>> woitem-notifier-workitem-assignee: ceoDelegatedTo = []
>> midpoint-server-1? | 2025-04-09 10:12:53,047 [MODEL]
>> [http-nio-8080-exec-6] INFO (com.evolveum.midpoint.expression): XXX
>> woitem-notifier-workitem-assignee: ceoDelegatedTo = []
>> midpoint-server-1? | 2025-04-09 10:12:53,051 [MODEL]
>> [http-nio-8080-exec-6] INFO (com.evolveum.midpoint.expression): XXX
>> woitem-notifier-workitem-assignee: ceoDelegatedTo = []
>>
>> When I did this under administrator, I can clearly see (multiple
>> notifications are used in my case):
>>
>> midpoint-server-1? | 2025-04-09 10:11:55,186 [MODEL] [pool-3-thread-6]
>> INFO (com.evolveum.midpoint.expression): XXX
>> woitem-notifier-workitem-assignee: ceoDelegatedTo =
>> [user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
>> user:00000000-0000-0000-0000-000000000002(administrator)]
>> midpoint-server-1? | 2025-04-09 10:11:55,191 [MODEL] [pool-3-thread-6]
>> INFO (com.evolveum.midpoint.expression): XXX
>> woitem-notifier-workitem-assignee: ceoDelegatedTo =
>> [user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
>> user:00000000-0000-0000-0000-000000000002(administrator)]
>> midpoint-server-1? | 2025-04-09 10:11:55,194 [MODEL] [pool-3-thread-6]
>> INFO (com.evolveum.midpoint.expression): XXX
>> woitem-notifier-workitem-assignee: ceoDelegatedTo =
>> [user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
>> user:00000000-0000-0000-0000-000000000002(administrator)]
>> midpoint-server-1? | 2025-04-09 10:11:55,196 [MODEL] [pool-3-thread-6]
>> INFO (com.evolveum.midpoint.expression): XXX
>> woitem-notifier-workitem-assignee: ceoDelegatedTo =
>> [user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
>> user:00000000-0000-0000-0000-000000000002(administrator)]
>>
>> (so two users are returned)
>>
>> After adding prigileges/runAsRef:
>>
>> <expressionFilter>
>>
>> *<privileges> <runAsRef oid="00000000-0000-0000-0000-000000000002"
>>
>> type="UserType"/> </privileges> * <script>
>>
>> <code>import com.evolveum.midpoint.xml.ns._public.common.common_3.* queryFor =
>>
>> "assignment/targetRef matches (
>> oid='7a0cc3de-1cc6-4f62-ad4f-56f8c24cb26d' and targetType=UserType and
>> relation=deputy)" uQuery = midpoint.queryFor(UserType.class, queryFor)
>> ceoDelegatedTo = midpoint.searchObjects(uQuery) log.info("XXX
>> work-item-notifier-workitem-assignee: ceoDelegatedTo = {}",
>> ceoDelegatedTo) . . .
>>
>>
>>
>> my unprivileged user, requesting for himself, can use the expression and
>> query just fine:
>>
>> midpoint-server-1? | 2025-04-09 10:22:41,760 [MODEL]
>> [http-nio-8080-exec-7] INFO (com.evolveum.midpoint.expression): XXX
>> work-item-notifier-workitem-assignee: ceoDelegatedTo =
>> [user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
>> user:00000000-0000-0000-0000-000000000002(administrator)]
>> midpoint-server-1? | 2025-04-09 10:22:41,766 [MODEL]
>> [http-nio-8080-exec-7] INFO (com.evolveum.midpoint.expression): XXX
>> work-item-notifier-workitem-assignee: ceoDelegatedTo =
>> [user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
>> user:00000000-0000-0000-0000-000000000002(administrator)]
>> midpoint-server-1? | 2025-04-09 10:22:41,771 [MODEL]
>> [http-nio-8080-exec-7] INFO (com.evolveum.midpoint.expression): XXX
>> work-item-notifier-workitem-assignee: ceoDelegatedTo =
>> [user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
>> user:00000000-0000-0000-0000-000000000002(administrator)]
>> midpoint-server-1? | 2025-04-09 10:22:41,776 [MODEL]
>> [http-nio-8080-exec-7] INFO (com.evolveum.midpoint.expression): XXX
>> work-item-notifier-workitem-assignee: ceoDelegatedTo =
>> [user:caddf511-3351-484e-959b-0daf38afe476(security-officer1),
>> user:00000000-0000-0000-0000-000000000002(administrator)]
>>
>>
>> I need to add that I am currently using midPoint master, not 4.8.x. but
>> nevertheless, I believe, this could be caused by permissions.
>>
>> If you run the expression in Query playground or in midPoint GUI, you
>> are probably logged as administrator(?)
>>
>> Could you please check if your user is having the privileges for
>> searching? Or you can consider the expression to be executed under
>> administrator or other privileged user, as shown above.
>>
>>
>> Best regards,
>> Ivan
>>
>>
>> On 2. 4. 2025 11:21, Markus Calmius via midPoint wrote:
>>
>>> Hi,
>>>
>>> [Using: midpoint 4.8.5]
>>>
>>> I'm trying to create an expression filter for notifications, but I
>>> simply cannot get it to work.
>>> General idea is this:
>>> "if CEO has delegated approvals to someone, do not send email to CEO"
>>>
>>> Basic issue:
>>> using advanved query in gui, query playground and groovycode in script
>>> returns different values.
>>>
>>> Set up:
>>> from user CEO I have delegated to two users. When using the advanced
>>> search
>>> "assignment/targetRef matches (oid="<oid of ceo>" and
>>> targetType=UserType and relation=deputy)"
>>> I get the two users.
>>> Since there is also a delegatedRef, I also tried:
>>> "delegatedRef matches (oid="<oid of ceo>" and relation=deputy)" and
>>> got two results.
>>>
>>> All good, now, moving to the expressionFilter:
>>> ---
>>> ? ? queryfor= "assignment/targetRef matches (oid='<oid of ceo>' and
>>> targetType=UserType and relation=deputy)"
>>> ? ? uQuery = midpoint.queryFor(UserType.class, queryfor)
>>> ? ? ceoDelegatedTo = midpoint.searchObjects(uQuery)
>>> ---
>>>
>>> the returned list is empty.
>>> I have tried using the delegatedRef as well, same result.
>>>
>>> I have also tried:
>>> ----
>>> ? ref =
>>> midpoint.getPrismContext().itemFactory().createReferenceValue(ceoOid,
>>> UserType.COMPLEX_TYPE)
>>> ? ? ref.setRelation(new QName("deputy")) <- also tried org:deputy
>>> ? ? query = prismContext.queryFor(UserType.class)
>>> ? ? ? ? ? ? .item(UserType.F_DELEGATED_REF).ref(ref)
>>> ? ? ? ? ? ? .build()
>>> ? ? ceoDelegatedTo = midpoint.searchObjects(UserType.class, query)
>>> ----
>>> still empty list.
>>>
>>> Using the query playground, this:
>>> ---
>>> import com.evolveum.midpoint.xml.ns._public.common.common_3.*
>>> queryfor="delegatedRef matches
>>> (oid=\"6b1aad6b-02f3-4d2d-8edb-fff371d0bbb6\" and relation=deputy)"
>>> uQuery = midpoint.queryFor(UserType.class, queryfor)
>>> ---
>>> returns the two users.
>>> Adding:
>>> ---
>>> midpoint.searchObjects(uQuery)
>>> ---
>>> and I get an error "Expression returned more than one value (2) in "
>>> I have to use:
>>> ---
>>> midpoint.searchObjects(uQuery).toString()
>>> ---
>>> to get expected two values.
>>>
>>> What am I missing here?
>>>
>>> Markus Calmius
>>> Proton AG
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ivan Noris
>> Expert Identity Engineer
>> evolveum.com
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20250409/99c9d1ec/attachment.htm
>>
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> ------------------------------
>>
>> End of midPoint Digest, Vol 156, Issue 8
>> ****************************************
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Expert Identity Engineer
evolveum.com

More information about the midPoint mailing list