<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Florin,<br>
<br>
I can't see anything about the actual denying access yet.<br>
Could you share whole log?<br>
Also what exception do you see after clicking on "Show more" in the
not-displayed account? Can you also copy/paste it with stacktrace?<br>
<br>
I also have another question: are there any tasks related to this
user? Are you using workflow?<br>
<br>
Thanks,<br>
regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 05/25/2016 10:03 PM, Florin.
Stingaciu wrote:<br>
</div>
<blockquote
cite="mid:CAMQHPY1bzzj+4vprijhT+QXbKduBkY-hCEc3t=v=3eZ3DXrDTg@mail.gmail.com"
type="cite">
<div dir="ltr">Here's the full stack trace for loading the
"Profile" page for a user that only contains an account on the
problematic resource: <a moz-do-not-send="true"
href="http://pastebin.com/cthMLBY2">http://pastebin.com/cthMLBY2</a><br>
<br>
Also what the GUI looks like: <a moz-do-not-send="true"
href="http://i.imgur.com/4qfzzcH.png">http://i.imgur.com/4qfzzcH.png</a><br>
<br>
I believe these are the relevant lines from the trace:
<div><br>
<div>2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Evaluating authorization [<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</a>])</div>
<div>2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Authorization not applicable for operation <a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read"><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></a></div>
<div>2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Evaluating authorization [<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a>])</div>
<div>2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Authorization is not applicable for phase REQUEST</div>
<div>2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Evaluating authorization [<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a>])</div>
<div>2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Authorization is not applicable for phase REQUEST</div>
<div>2016-05-25 19:57:12,972 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Evaluating authorization [<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</a>])</div>
<div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Authorization not applicable for operation <a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read"><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></a></div>
<div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Evaluating authorization [<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</a>])</div>
<div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Authorization not applicable for operation <a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read"><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></a></div>
<div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Evaluating authorization [<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a>])</div>
<div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Authorization not applicable for operation <a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read"><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></a></div>
<div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Evaluating authorization [<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a>])</div>
<div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Authorization not applicable for operation <a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read"><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></a></div>
<div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Evaluating authorization [<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a>])</div>
<div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Authorization is not applicable for phase REQUEST</div>
<div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
AUTZ search pre-process: principal=pwmproxy, operation=<a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read"><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></a>:
default deny</div>
<div>2016-05-25 19:57:12,973 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Evaluating authorization [<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</a>])</div>
<div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Authorization not applicable for operation <a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read"><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></a></div>
<div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Evaluating authorization [<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a>])</div>
<div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Authorization is not applicable for phase EXECUTION</div>
<div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Evaluating authorization [<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a>])</div>
<div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Authorization is not applicable for phase EXECUTION</div>
<div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Evaluating authorization [<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</a>])</div>
<div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Authorization not applicable for operation <a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read"><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></a></div>
<div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Evaluating authorization [<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</a>])</div>
<div>2016-05-25 19:57:12,974 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Authorization not applicable for operation <a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read"><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></a></div>
<div>2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Evaluating authorization [<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a>])</div>
<div>2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Authorization not applicable for operation <a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read"><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></a></div>
<div>2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Evaluating authorization [<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a>])</div>
<div>2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Authorization not applicable for operation <a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read"><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></a></div>
<div>2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Evaluating authorization [<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a>])</div>
<div>2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
Authorization is not applicable for phase EXECUTION</div>
<div>2016-05-25 19:57:12,975 [MODEL] [http-bio-8443-exec-19]
TRACE
(com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):
AUTZ search pre-process: principal=pwmproxy, operation=<a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read"><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></a>:
default deny<br>
<br>
Also, if this is at all relevant, all of these accounts were
created via the RESTfull API. I've done this on numerous
other deployments but never experienced this issue. Please
let me know if there's anything further I could provide. </div>
<div><br>
</div>
<div>Thanks, </div>
<div>-F </div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, May 25, 2016 at 11:29 AM,
Florin. Stingaciu <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:fstingaciu@mirantis.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:fstingaciu@mirantis.com">fstingaciu@mirantis.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Here's the a pastebin with the End User
role: <a moz-do-not-send="true"
href="http://pastebin.com/hufRebnK" target="_blank">http://pastebin.com/hufRebnK</a><br>
<br>
I just tried the same action within my dev environment
(the account has groups as well), using this exact same
role, and everything worked fine. This leads me to believe
there might be a different issue here?
<div><br>
</div>
<div>Thanks, </div>
<span class="HOEnZb"><font color="#888888">
<div>-F </div>
</font></span></div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, May 25, 2016 at 11:15
AM, Florin. Stingaciu <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:fstingaciu@mirantis.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:fstingaciu@mirantis.com">fstingaciu@mirantis.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hey Ivan,
<div><br>
</div>
<div>Yes, indeed. This other account does
reference groups. I'm assuming this means
there's an authorization action for reading
groups?</div>
<div><br>
</div>
<div>The end user role is just the default one
that comes with midpoint. I'm using version
3.3.1.</div>
<div><br>
</div>
<div>Thanks, </div>
<span><font color="#888888">
<div>-F </div>
</font></span></div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, May 25,
2016 at 11:10 AM, Ivan Noris <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com"
target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hi Florin,<br>
<br>
is the other account referencing any
associations (groups)? If you open the
same user as administrator. Most of
the times this was my problem, if I
had not good End user role.<br>
<br>
Which midPoint version is this?<br>
<br>
Ivan
<div>
<div><br>
<br>
<div>On 05/25/2016 07:09 PM,
Florin. Stingaciu wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Hello,
<div><br>
</div>
<div>I'm trying to use the End
User role to allow users to
login and verify their
accounts. The definition for
the End User role is the
default definition, however
when I log in as an End
User, one of two of my
resources fails to load with
the following error:<br>
<p> </p>
<p><span>2016-05-25
17:05:17,699 []
[http-bio-8443-exec-2]
ERROR
(com.evolveum.midpoint.web.page.admin.PageAdminFocus):
Couldn't load account,
reason: Access denied
(class
com.evolveum.midpoint.util.exception.AuthorizationException)</span></p>
<p>I've used the End User
role before without ever
having any issues, and the
fact that it loads the
other resource just fine
is making me a little
worried. Any guidance
would be greatly
appreciated. </p>
<p>Thanks, </p>
<p>-F <br>
</p>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><span><font color="#888888">
</font></span></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper ID(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com"
target="_blank">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
</pre>
</body>
</html>