<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <div class="moz-cite-prefix">Hi,<br>

      <br>

      GUI should use raw operations only when dealing with raw XML data.

      All other operations should be regular (non-raw) ones. Therefore

      if GUI is using raw operation to work with reports it is indeed a

      core bug.<br>

      <br>

      <pre class="moz-signature" cols="72">-- 

Radovan Semancik

Software Architect

evolveum.com

</pre>

      <br>

      <br>

      On 10/04/2018 07:50 PM, Brandon Powers wrote:<br>

    </div>

    <blockquote type="cite"

cite="mid:CAP-GOHcG_nED0WNHGOMMR++i-Y+=YNN0YbDhqFZY3GkgeBPYTQ@mail.gmail.com">

      <meta http-equiv="content-type" content="text/html; charset=utf-8">

      <div dir="ltr">Hi all,

        <div>A newer RAW OPERATION authorization was added to midPoint

          in version 3.7 (<a

href="https://wiki.evolveum.com/display/midPoint/Authorization+Configuration"

            moz-do-not-send="true">https://wiki.evolveum.com/display/midPoint/Authorization+Configuration</a>). 

          We are working on upgrading from 3.6 up to 3.8 and encountered

          an issue with this authorization in regards to reports.  It

          seems this authorization is required to run reports (or to

          execute the queries for these reports) for object types used

          in the report.</div>

        <div><br>

        </div>

        <div>We have some custom reports, but also found the same issue

          with stock midPoint reports, such as "Users in MidPoint". 

          When executing these reports with a user of limited

          authorizations (not having the rawOperation auth for security

          purposes as documented in wiki), the report fails and the

          following error is logged for the task:</div>

        <div>

          <table class="inbox-inbox-table inbox-inbox-table-striped

            inbox-inbox-table-condensed" id="inbox-inbox-id4a7"

style="box-sizing:border-box;border-spacing:0px;border-collapse:collapse;width:1639px;max-width:100%;margin-bottom:20px;color:rgb(51,51,51);font-family:"Source

            Sans Pro","Helvetica

            Neue",Helvetica,Arial,sans-serif;font-size:14px;padding-top:0px">

            <tbody id="inbox-inbox-id4a9" style="box-sizing:border-box">

              <tr id="inbox-inbox-id4bc"

                style="box-sizing:border-box;background-color:rgb(249,249,249)">

                <td

style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border-top:1px

                  solid rgb(244,244,244)">

                  <div style="box-sizing:border-box">1000000000000028753</div>

                </td>

                <td

style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border-top:1px

                  solid rgb(244,244,244)">

                  <div style="box-sizing:border-box">ReportCreateTaskHandler.run</div>

                </td>

                <td

style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border-top:1px

                  solid rgb(244,244,244)">

                  <div style="box-sizing:border-box">FATAL_ERROR</div>

                </td>

                <td

style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border-top:1px

                  solid rgb(244,244,244)">

                  <div style="box-sizing:border-box">com.evolveum.midpoint.util.exception.AuthorizationException:

                    User ''<username-redacted>'' not authorized

                    for operation <a

href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#rawOperation"

                      moz-do-not-send="true">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#rawOperation</a>

                    on

                    user:42231112-3639-4a8d-bf86-16b1958deecf(<username-redacted>)</div>

                </td>

              </tr>

            </tbody>

          </table>

        </div>

        <div>Is this a core bug or report configuration bug?  Anyway

          around this without having to grant the rawOperation

          authorization to these users?</div>

        <div><br>

        </div>

        <div>For reference, I found this authorization is being checked

in com.evolveum.midpoint.model.impl.controller.SchemaTransformer

          :: authorizeOptions method</div>

        <div><br>

        </div>

        <div>Any advice is appreciated.</div>

        <div><br>

        </div>

        <div>Thanks,</div>

        <div>Brandon</div>

      </div>

      -- <br>

      <div dir="ltr" class="gmail_signature"

        data-smartmail="gmail_signature">

        <div dir="ltr">

          <div>Brandon Powers</div>

          <div>

            <div>Exclamation Labs</div>

            <div>300 Washington Street</div>

            <div>Cumberland, MD 21502</div>

            <div><a moz-do-not-send="true">888.545.5008</a> or <a

                moz-do-not-send="true">301.722.5008 ext 144</a></div>

            <div>fax <a moz-do-not-send="true">301.722.2183</a></div>

            <div><a moz-do-not-send="true">brandon@exclamationlabs.com</a></div>

            <div><a moz-do-not-send="true">www.exclamationlabs.com</a></div>

          </div>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

midPoint mailing list

<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>

<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>

</pre>

    </blockquote>

    <br>

    <br>

    <pre class="moz-signature" cols="72">

</pre>

  </body>

</html>