<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Aivo, Radovan,</p>
<p><br>
</p>
<p>I don't think we have anything like that. <br>
</p>
<p><br>
</p>
<p>It could be perhaps simulated by creating a recurrent runnable
task (with the interval of zero meaning it should be triggered
manually).</p>
<p>The task would be owned by administrator.</p>
<p>And users would have the rights to "run now" i.e. <i><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#runTaskImmediately">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#runTaskImmediately</a></i>
just for this task.</p>
<p>But it would be perhaps a bit complicated for them, as they would
need to go to Tasks part of the GUI, find the task and run it.
Maybe finding the task would not be a big problem, if they would
have authorization to see only selected tasks, so other ones would
be hidden from them. However, this would collide with a workaround
for <a href="https://jira.evolveum.com/browse/MID-3120">MID-3120</a>
that you maybe use.</p>
<p><br>
</p>
<p>Best regards,<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 15.09.2016 13:55, Radovan Semancik
wrote:<br>
</div>
<blockquote
cite="mid:627d6e80-d3fc-7874-e2e5-50607d0b7d86@evolveum.com"
type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
Hi Aivo,<br>
<br>
That's right again. The authorization mechanism in midPoint runs
quite deep. The report is executed as a task. Owner of that task
is the user who executed it. And such task can only access the
data that are accessible to the task owner. This is one of the
basic "defense in depth" mechanisms that midPoint implements. It
may be a security issue if we allow a report to access more data
that the user who executes it is allowed to see.<br>
<br>
But I see what you need. You maybe want something like a UNIX
"suid" mechanism for reports. This can be done in tasks, so it
also should work for scheduled reports. But I do no know if we
have anything like that for reports that are explicitly executed
from the GUI. Maybe one of my colleagues will know.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
<div class="moz-cite-prefix">On 09/15/2016 01:45 PM, Aivo Kuhlberg
wrote:<br>
</div>
<blockquote cite="mid:1473939938261.93830@rmit.ee" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} p
{margin-top:0;
margin-bottom:0}--></style>
<p>I was too optimistic in my previous mail. In principle
reporting functions now works but when I view the generate
reports then the reported results dependent on the
authorization of the user who generated the report. To save my
time figuring out correct authorizations for each report is it
possible to run reports under other user name who has more
rights (eg administrator)?<br>
<br>
Best Regards,<br>
Aivo Kuhlberg<br>
</p>
<div id="Signature">
<div name="divtagdefaultwrapper"
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:; margin:0">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px"><br>
</div>
</div>
</div>
</div>
</div>
<div style="font-size:12pt; color:#000000;
background-color:#FFFFFF;
font-family:Calibri,Arial,Helvetica,sans-serif" dir="ltr">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>Saatja:</b>
midPoint <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a>
nimelAivo Kuhlberg <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:aivo.kuhlberg@rmit.ee"><aivo.kuhlberg@rmit.ee></a><br>
<b>Saadetud:</b> 15. september 2016 13:54<br>
<b>Adressaat:</b> midPoint General Discussion<br>
<b>Teema:</b> Re: [midPoint] Authorizing access to reports</font>
<div> </div>
</div>
<div>
<p>I think I figured out what my problem was. Seems that
there exists also ReportOutputType. So the following
additional authorization solved my problems:<br>
<br>
<span style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt"><authorization></span><br
style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<span style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<action><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action></span><br
style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<span style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<action><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</a></action></span><br
style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<span style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<object></span><br style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<span style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<type>ReportOutputType</type></span><br
style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<span style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
</object></span><br style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt">
<span style="color:rgb(189,19,152);
font-family:Consolas,monospace; font-size:11pt"></authorization></span><br>
<br>
Best Regards,<br>
Aivo Kuhlberg<br>
</p>
<div dir="ltr" style="font-size:12pt; color:#000000;
background-color:#FFFFFF;
font-family:Calibri,Arial,Helvetica,sans-serif">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" face="Calibri, sans-serif"
color="#000000"><b>Saatja:</b> midPoint <a
moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a>
nimelAivo Kuhlberg <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:aivo.kuhlberg@rmit.ee"><aivo.kuhlberg@rmit.ee></a><br>
<b>Saadetud:</b> 15. september 2016 13:40<br>
<b>Adressaat:</b> midpoint<br>
<b>Teema:</b> [midPoint] Authorizing access to reports</font>
<div> </div>
</div>
<div>
<p>I want to create a role which gives user ability to
access reports section. User should see reports, run
them and access the generated reports. Unfortunately
there is not much information found in wiki about
reports authorization. So far I figured out how to
give access to reports section by adding reportsAll
GUI authorization. I also figured out that there
exists ReportType object and by adding read ability to
that object I succeeded to run report. Unfortunately I
dont see any created reports. Seems that there is
still some authorization missing. My current
authorizations in role are following:<br>
<br>
<span style="font-family:Consolas,monospace;
font-size:11pt; color:rgb(0,111,201)"><span
style="color:rgb(0,111,201)"></span></span></p>
<p><span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)"><authorization></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)">
<action><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#reportsAll">http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#reportsAll</a></action></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)"></authorization></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)"><authorization></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)">
<action><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)"> <object></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)">
<type>ReportType</type></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)"> </object></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<span style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt"><span
style="color:rgb(189,19,152)"></authorization></span></span><br
style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
<br style="font-family:Consolas,monospace;
color:rgb(189,19,152); font-size:11pt">
Best Regards,<br>
Aivo Kuhlberg<br>
</p>
<br>
<hr> <font face="Arial" color="Gray" size="2">Käesolev
e-kiri võib sisaldada asutusesiseseks kasutamiseks
tunnistatud teavet.<br>
This e-mail may contain information which is
classified for official use.</font> </div>
</div>
<br>
<hr> <font face="Arial" color="Gray" size="2">Käesolev
e-kiri võib sisaldada asutusesiseseks kasutamiseks
tunnistatud teavet.<br>
This e-mail may contain information which is classified
for official use.</font> </div>
</div>
<br>
<hr> <font face="Arial" color="Gray" size="2">Käesolev e-kiri
võib sisaldada asutusesiseseks kasutamiseks tunnistatud
teavet.<br>
This e-mail may contain information which is classified for
official use.</font> <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>