<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Or, could you try the following:</p>
<p><br>
</p>
<p>Just add the certification-specific authorizations _without_
specifying object type. These are not applicable to any other
type, so it's no security risk. As I looked at the code, it should
help.<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 16.09.2016 10:40, Aivo Kuhlberg
wrote:<br>
</div>
<blockquote cite="mid:1474015207513.86051@rmit.ee" type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} --></style>
<p>I have created special user who should have access to manage
all certification tasks. Unfortunately this user cannot close
the certification stage campaign when the campaign is in state
'In remediation'.<br>
I have assigned to user role which has following authorizations:<br>
<br>
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);"> <authorization
id="1"></span></span></span><br style="font-family:
Consolas,monospace; color: rgb(0, 111, 201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#certificationAll">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#certificationAll</a></action></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
</authorization></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);"> <authorization
id="2"></span></span></span><br style="font-family:
Consolas,monospace; color: rgb(0, 111, 201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</a></action></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</a></action></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</a></action></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#createCertificationCampaign">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#createCertificationCampaign</a></action></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#closeCertificationCampaign">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#closeCertificationCampaign</a></action></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);"> <object></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
<type>AccessCertificationDefinitionType</type></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);"> </object></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
</authorization></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);"> <authorization
id="3"></span></span></span><br style="font-family:
Consolas,monospace; color: rgb(0, 111, 201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</a></action></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#openCertificationCampaignReviewStage">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#openCertificationCampaignReviewStage</a></action></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#closeCertificationCampaignReviewStage">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#closeCertificationCampaignReviewStage</a></action></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#startCertificationRemediation">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#startCertificationRemediation</a></action></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
<action><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#closeCertificationCampaign">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#closeCertificationCampaign</a></action></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);"> <object></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
<type>AccessCertificationCampaignType</type></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);"> </object></span></span></span><br
style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;">
<span style="font-family: Consolas,monospace; color: rgb(0, 111,
201); font-size: 10pt;"><span style="color: rgb(0, 111, 201);"><span
style="color: rgb(0, 111, 201);">
</authorization></span></span></span><br>
<br>
Notice that I have set 'closeCertificationCampaign' auth both
for 'AccessCertificationDefinitionType' and
'AccessCertificationCampaignType' (<a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Access+Certification+Security">wiki
says</a> that this should be set only for
'AccessCertificationCampaignType').<br>
In addition to these authorizations user has role 'Reviewer'
assigned. <br>
I have created certification definition and set remediation to
'Manual reconciliation (non-conformant items are reported)'.<br>
After that I created new campaign, started it and closed the
stage. Then I started the remediation. So far it works fine but
when I want to close the campaing which is now in remediation
stage I see following error:<br>
<span style="color: rgb(255, 0, 0);">User ''certmanager'' not
authorized for operation
<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#closeCertificationCampaign">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#closeCertificationCampaign</a></span><br>
<br>
</p>
<p>Best Regards,</p>
<p>Aivo kuhlberg<br>
</p>
<div id="Signature">
<div name="divtagdefaultwrapper"
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:; margin:0">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
</div>
</div>
</div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Käesolev e-kiri võib
sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.<br>
This e-mail may contain information which is classified for
official use.</font>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>