<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Aivo,<br>
<br>
That's right again. The authorization mechanism in midPoint runs
quite deep. The report is executed as a task. Owner of that task is
the user who executed it. And such task can only access the data
that are accessible to the task owner. This is one of the basic
"defense in depth" mechanisms that midPoint implements. It may be a
security issue if we allow a report to access more data that the
user who executes it is allowed to see.<br>
<br>
But I see what you need. You maybe want something like a UNIX "suid"
mechanism for reports. This can be done in tasks, so it also should
work for scheduled reports. But I do no know if we have anything
like that for reports that are explicitly executed from the GUI.
Maybe one of my colleagues will know.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
<div class="moz-cite-prefix">On 09/15/2016 01:45 PM, Aivo Kuhlberg
wrote:<br>
</div>
<blockquote cite="mid:1473939938261.93830@rmit.ee" type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} p
{margin-top:0;
margin-bottom:0}--></style>
<p>I was too optimistic in my previous mail. In principle
reporting functions now works but when I view the generate
reports then the reported results dependent on the authorization
of the user who generated the report. To save my time figuring
out correct authorizations for each report is it possible to run
reports under other user name who has more rights (eg
administrator)?<br>
<br>
Best Regards,<br>
Aivo Kuhlberg<br>
</p>
<div id="Signature">
<div name="divtagdefaultwrapper"
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:; margin:0">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px"><br>
</div>
</div>
</div>
</div>
</div>
<div style="font-size:12pt; color:#000000;
background-color:#FFFFFF;
font-family:Calibri,Arial,Helvetica,sans-serif" dir="ltr">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>Saatja:</b>
midPoint <a class="moz-txt-link-rfc2396E" href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a>
nimelAivo Kuhlberg <a class="moz-txt-link-rfc2396E" href="mailto:aivo.kuhlberg@rmit.ee"><aivo.kuhlberg@rmit.ee></a><br>
<b>Saadetud:</b> 15. september 2016 13:54<br>
<b>Adressaat:</b> midPoint General Discussion<br>
<b>Teema:</b> Re: [midPoint] Authorizing access to reports</font>
<div> </div>
</div>
<div>
<p>I think I figured out what my problem was. Seems that there
exists also ReportOutputType. So the following additional
authorization solved my problems:<br>
<br>
<span style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt"><authorization></span><br
style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<span style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action></span><br
style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<span style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</a></action></span><br
style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<span style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<object></span><br style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<span style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<type>ReportOutputType</type></span><br
style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<span style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
</object></span><br style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<span style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt"></authorization></span><br>
<br>
Best Regards,<br>
Aivo Kuhlberg<br>
</p>
<div dir="ltr" style="font-size:12pt; color:#000000;
background-color:#FFFFFF;
font-family:Calibri,Arial,Helvetica,sans-serif">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" face="Calibri, sans-serif"
color="#000000"><b>Saatja:</b> midPoint
<a class="moz-txt-link-rfc2396E" href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a> nimelAivo
Kuhlberg <a class="moz-txt-link-rfc2396E" href="mailto:aivo.kuhlberg@rmit.ee"><aivo.kuhlberg@rmit.ee></a><br>
<b>Saadetud:</b> 15. september 2016 13:40<br>
<b>Adressaat:</b> midpoint<br>
<b>Teema:</b> [midPoint] Authorizing access to reports</font>
<div> </div>
</div>
<div>
<p>I want to create a role which gives user ability to
access reports section. User should see reports, run
them and access the generated reports. Unfortunately
there is not much information found in wiki about
reports authorization. So far I figured out how to give
access to reports section by adding reportsAll GUI
authorization. I also figured out that there exists
ReportType object and by adding read ability to that
object I succeeded to run report. Unfortunately I dont
see any created reports. Seems that there is still some
authorization missing. My current authorizations in role
are following:<br>
<br>
<span style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(0,111,201)"><span
style="color:rgb(0,111,201)"></span></span></p>
<p><span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)"><authorization></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)">
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#reportsAll">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#reportsAll</a></action></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)"></authorization></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)"><authorization></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)">
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)"> <object></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)">
<type>ReportType</type></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)"> </object></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)"></authorization></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<br style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
Best Regards,<br>
Aivo Kuhlberg<br>
</p>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Käesolev e-kiri
võib sisaldada asutusesiseseks kasutamiseks tunnistatud
teavet.<br>
This e-mail may contain information which is classified
for official use.</font> </div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Käesolev e-kiri võib
sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.<br>
This e-mail may contain information which is classified for
official use.</font> </div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Käesolev e-kiri võib
sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.<br>
This e-mail may contain information which is classified for
official use.</font>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>