<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hello Aivo,</p>
<p><br>
</p>
<p>you're right - yesterday I tried it as administrator. Now, when
logging in as testuser, the role gets approved automatically.<br>
</p>
<p><br>
</p>
<p>The problem is that the script for determining approvers runs
under testuser authorizations, so it doesn't "see" the manager.
This is a design problem that I somehow overlooked. (Actually, the
problem is broader: there are also other scripts that could run as
part of the operation, like notification scripts, model script
hooks, and maybe some advanced mappings - all of these are
executed in the context of logged-in user.)<br>
</p>
<p><br>
</p>
<p>We have to look at it more thoroughly. I've created <a
href="https://jira.evolveum.com/browse/MID-3343">MID-3343</a>
for it.</p>
<p><br>
</p>
<p>An immediate workaround is to give end users an ability to see at
least all users' OIDs:</p>
<p><tt><br>
</tt></p>
<p><tt><authorization></tt><tt><br>
</tt><tt>
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action></tt><tt><br>
</tt><tt> <object></tt><tt><br>
</tt><tt> <type>UserType</type></tt><tt><br>
</tt><tt> </object></tt><tt><br>
</tt><tt>
<item>a-non-existing-item-to-allow-see-only-OID</item></tt><tt><br>
</tt><tt></authorization></tt><br>
</p>
<p><br>
</p>
<p>This should be acceptable from security point of view, as long as
you don't give end users an ability to use non-GUI access (and not
allow "Configuration->Repository objects" part of menu for
them).</p>
<p><br>
</p>
<p>As for the second problem (errors when logged as testmanager):
this is probably related to <a
href="https://jira.evolveum.com/browse/MID-3121">MID-3121</a>.
But it shouldn't occur in this form; so I've created a separate <a
href="https://jira.evolveum.com/browse/MID-3344">MID-3344</a>
for it.<br>
</p>
<p><br>
</p>
<p>Overall, thanks for pointing at these problems. We'll do our best
to fix them.</p>
<p><br>
</p>
<p>Best regards,<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 12.08.2016 15:32, Aivo Kuhlberg
wrote:<br>
</div>
<blockquote cite="mid:1471008745577.97856@rmit.ee" type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} p
{margin-top:0;
margin-bottom:0}p
{margin-top:0;
margin-bottom:0}--></style>
<p>Hi Pavol,<br>
Did you try to log on as testuser and request a role
"testrole-needsmanagerapproval"? In this case request gets
automatically approved.<br>
When I assign the role to testuser as administrator then it
seems to work for me too. I see that workflow process starts and
is waiting for testmanager approval. But when I log on as
testmanager and open work item then following errors appear in
log:<br>
<br>
2016-08-12 16:38:23,359 [] [http-nio-8083-exec-4] ERROR
(com.evolveum.midpoint.model.impl.controller.SchemaTransformer):
Error post-processing object
task:00000000-0000-0000-0000-000000000005(null): Access denied<br>
com.evolveum.midpoint.util.exception.AuthorizationException:
Access denied<br>
...<br>
2016-08-12 16:38:23,361 [] [http-nio-8083-exec-4] ERROR
(com.evolveum.midpoint.model.impl.controller.SchemaTransformer):
Error post-processing object
task:00000000-0000-0000-0000-000000000006(null): Access denied<br>
com.evolveum.midpoint.util.exception.AuthorizationException:
Access denied<br>
...<br>
2016-08-12 16:38:23,363 [] [http-nio-8083-exec-4] ERROR
(com.evolveum.midpoint.model.impl.controller.SchemaTransformer):
Error post-processing object
task:00000000-0000-0000-0000-000000000007(null): Access denied<br>
com.evolveum.midpoint.util.exception.AuthorizationException:
Access denied<br>
...<br>
2016-08-12 16:38:23,365 [] [http-nio-8083-exec-4] ERROR
(com.evolveum.midpoint.model.impl.controller.SchemaTransformer):
Error post-processing object
task:3fa47adf-4d08-4b94-9668-71c6b6fff1d0(null): Access denied<br>
com.evolveum.midpoint.util.exception.AuthorizationException:
Access denied<br>
...<br>
2016-08-12 16:38:23,367 [] [http-nio-8083-exec-4] ERROR
(com.evolveum.midpoint.model.impl.controller.SchemaTransformer):
Error post-processing object
task:42bc12ce-24be-4146-baea-aed301707e7b(null): Access denied<br>
com.evolveum.midpoint.util.exception.AuthorizationException:
Access denied<br>
...<br>
2016-08-12 16:38:23,371 [] [http-nio-8083-exec-4] ERROR
(com.evolveum.midpoint.model.impl.controller.SchemaTransformer):
Error post-processing object
task:63657c46-1fba-4586-997f-a45fa771567f(null): Access denied<br>
com.evolveum.midpoint.util.exception.AuthorizationException:
Access denied<br>
...<br>
2016-08-12 16:38:23,373 [] [http-nio-8083-exec-4] ERROR
(com.evolveum.midpoint.model.impl.controller.SchemaTransformer):
Error post-processing object
task:7e2cc986-c454-48da-a706-cefa67d36c77(null): Access denied<br>
com.evolveum.midpoint.util.exception.AuthorizationException:
Access denied<br>
...<br>
2016-08-12 16:38:23,375 [] [http-nio-8083-exec-4] ERROR
(com.evolveum.midpoint.model.impl.controller.SchemaTransformer):
Error post-processing object
task:86508079-e041-44c9-a181-a0954b8cf2f9(null): Access denied<br>
com.evolveum.midpoint.util.exception.AuthorizationException:
Access denied<br>
<br>
User testmanager can still approve the request but from the log
messages it seems that there are some authorization problems.<br>
</p>
<p><br>
</p>
<p>Regards,</p>
<p>Aivo<br>
</p>
<div style="color: rgb(33, 33, 33);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>Saatja:</b>
midPoint <a class="moz-txt-link-rfc2396E" href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a>
nimelPavol Mederly <a class="moz-txt-link-rfc2396E" href="mailto:mederly@evolveum.com"><mederly@evolveum.com></a><br>
<b>Saadetud:</b> 12. august 2016 15:09<br>
<b>Adressaat:</b> <a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<b>Teema:</b> Re: [midPoint] Problem with role with manager
approval</font>
<div> </div>
</div>
<div>
<p>Aivo,</p>
<p><br>
</p>
<p>this is really strange.</p>
<p><br>
</p>
<p>I've imported your objects (testorg, testuser, testmanager,
and testrole-needsmanagerapproval). Assigned
testrole-needsmanagerapproval to testuser and it works...<br>
</p>
<p><br>
</p>
<p><img alt="" src="cid:part4.E38423EC.F6F45930@evolveum.com"
height="392" width="1062"></p>
<p><br>
</p>
<p>It's true that I have 3.5-SNAPSHOT, but I don't know of any
differences in the code in this respect...</p>
<p><br>
</p>
<p>Just to be sure, could you try on master? Or, could you
enable a TRACE logging on:</p>
<ul>
<li>com.evolveum.midpoint.repo.sql.helpers.ObjectRetriever </li>
<li>com.evolveum.midpoint.repo.sql.query2<br>
</li>
</ul>
<p>and try again? (Unfortunately, this would produce tons of
log data.)</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 12.08.2016 13:47, Aivo
Kuhlberg wrote:<br>
</div>
<blockquote type="cite">
<style type="text/css" style="">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<p>Hi Pavol,</p>
<p>Here is the log:<br>
2016-08-12 14:49:02,001 [] [http-nio-8083-exec-9] TRACE
(com.evolveum.midpoint.model.impl.expr.OrgStructFunctionsImpl):
orgOids: [5b763e10-6c87-4a38-babb-067447f95f73]<br>
2016-08-12 14:49:02,003 [] [http-nio-8083-exec-9] TRACE
(com.evolveum.midpoint.model.impl.expr.OrgStructFunctionsImpl):
retval: []<br>
2016-08-12 14:49:02,004 [] [http-nio-8083-exec-9] TRACE
(com.evolveum.midpoint.model.impl.expr.OrgStructFunctionsImpl):
nextLevelOids: []<br>
2016-08-12 14:49:02,004 [] [http-nio-8083-exec-9] WARN
(com.evolveum.midpoint.wf.impl.processes.itemApproval.InitializeLoopThroughApproversInLevel):
No approvers at the level 'null' for process Assigning
testrole-needsmanagerapproval to testuser (id 10193)<br>
<br>
and here are objects (credentials removed):</p>
<p>testorg: <a moz-do-not-send="true"
href="http://pastebin.com/1rX21Chs">http://pastebin.com/1rX21Chs</a></p>
<p>testuser: <a moz-do-not-send="true"
href="http://pastebin.com/8iXPbefJ">http://pastebin.com/8iXPbefJ</a></p>
<p>testmanager: <a moz-do-not-send="true"
href="http://pastebin.com/PiKAcKdg">http://pastebin.com/PiKAcKdg</a></p>
<p><br>
</p>
<p>Regards,</p>
<p>Aivo</p>
<div style="color:rgb(33,33,33)">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" face="Calibri, sans-serif"
color="#000000"><b>Saatja:</b> midPoint
<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:midpoint-bounces@lists.evolveum.com">
<midpoint-bounces@lists.evolveum.com></a>
nimelPavol Mederly <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:mederly@evolveum.com">
<mederly@evolveum.com></a><br>
<b>Saadetud:</b> 12. august 2016 14:09<br>
<b>Adressaat:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:midpoint@lists.evolveum.com">
midpoint@lists.evolveum.com</a><br>
<b>Teema:</b> Re: [midPoint] Problem with role with
manager approval</font>
<div> </div>
</div>
<div>
<p>Hello Aivo,</p>
<p><br>
</p>
<p>that's interesting. It should work. I don't see any
obvious problem; but have not enough time to try it
myself now.<br>
</p>
<p><br>
</p>
<p>You could enable TRACE logging for
com.evolveum.midpoint.model.impl.expr.OrgStructFunctionsImpl
and run your test once again.</p>
<p>If still no clue, please paste here relevant parts of
the log, as well as XML of your testuser, testmanager,
testorg objects.</p>
<p><br>
</p>
<p>Best regards,<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 12.08.2016 13:00, Aivo
Kuhlberg wrote:<br>
</div>
<blockquote type="cite">
<style type="text/css" style="">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<p>Hello,<br>
</p>
<p>I am trying to test (in MP 3.4) the situation where
user requests a role which requires user's
organization manager approval but so far have not
succeded.<br>
I created following role (based on Sensitive Role 3
example here: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://wiki.evolveum.com/display/midPoint/Some+examples">
https://wiki.evolveum.com/display/midPoint/Some+examples</a> )<br>
<br>
<span style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)"><span
style="color:rgb(114,50,173)"><role xmlns=<a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a>></span></span><br
style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)">
<span style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)"><span
style="color:rgb(114,50,173)">
<name>testrole-needsmanagerapproval</name></span></span><br
style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)">
<span style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)"><span
style="color:rgb(114,50,173)">
<requestable>true</requestable></span></span><br
style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)">
<span style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)"><span
style="color:rgb(114,50,173)">
<approverExpression></span></span><br
style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)">
<span style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)"><span
style="color:rgb(114,50,173)">
<description>Get user's managers (except
the user itself)</description></span></span><br
style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)">
<span style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)"><span
style="color:rgb(114,50,173)">
<script></span></span><br
style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)">
<span style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)"><span
style="color:rgb(114,50,173)">
<code>midpoint.getManagersOidsExceptUser(object)</code></span></span><br
style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)">
<span style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)"><span
style="color:rgb(114,50,173)">
</script></span></span><br
style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)">
<span style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)"><span
style="color:rgb(114,50,173)">
</approverExpression></span></span><br
style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)">
<span style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(114,50,173)"><span
style="color:rgb(114,50,173)"></role></span></span><br
style="font-family:Consolas,monospace;
font-size:11pt">
<br>
I have created users testuser and testmanager and
added both to the organization testorg as members
and also testmanager as manager.<br>
I added role Approver to testmanager.<br>
Now when I request the role
"testrole-needsmanagerapproval" for user testuser
the role gets automatically assigned without manager
approval. Seems that the getManagersOidsExceptUser
function does not find any manager for that user and
therefore approves automatically this role. Why it
is so?<br>
<br>
</p>
<p>Best regards,</p>
<p>Aivo Kuhlberg<br>
</p>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Käesolev
e-kiri võib sisaldada asutusesiseseks kasutamiseks
tunnistatud teavet.<br>
This e-mail may contain information which is
classified for official use.</font> <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Käesolev e-kiri
võib sisaldada asutusesiseseks kasutamiseks tunnistatud
teavet.<br>
This e-mail may contain information which is classified
for official use.</font> <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Käesolev e-kiri võib
sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.<br>
This e-mail may contain information which is classified for
official use.</font>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>