<div dir="auto"><p style="font-family:sans-serif;font-size:12.8px">Hello,<br></p><p style="font-family:sans-serif;font-size:12.8px"><u></u></p><p style="font-family:sans-serif;font-size:12.8px"><u></u> <u></u></p><p style="font-family:sans-serif;font-size:12.8px">I am trying to write an authorization to authorize a user to read all the roles which are assigned to him with a relation « approver » on Midpoint 4.3.1 .<u></u><u></u></p><p style="font-family:sans-serif;font-size:12.8px"><u></u> <u></u></p><p style="font-family:sans-serif;font-size:12.8px">I tried first to use the <roleRelation > in the <object> (cf. below), but with the <enforcementStrategy>maySkipOnSearch</enforcementStrategy>, I get nothing (« all roles » search is empty) and without it I get the error « cannot count objects » during the operations operation.com.evolveum.midpoint.web.component.data.SelectableBeanContainerDataProvider.countObjects and operation.com.evolveum.midpoint.model.api.ModelService.countObjects with « java error java.lang.UnsupportedOperationException: Inefficient roleRelation search (includeReferenceRole=true) is not supported yet at com.evolveum.midpoint.security.enforcer.impl.SecurityEnforcerImpl.processRoleRelationFilter(SecurityEnforcerImpl.java:1909) ». And if I remove <includeReferenceRole>true</includeReferenceRole>, the « all roles » search is empty again.<u></u><u></u></p><p style="font-family:sans-serif;font-size:12.8px"><u></u> <u></u></p><p style="font-family:sans-serif;font-size:12.8px">This issue seems to relate to this JIRA issue : <a href="https://jira.evolveum.com/browse/MID-6359" style="text-decoration-line:none;color:rgb(66,133,244)">https://jira.evolveum.com/browse/MID-6359</a> .<u></u><u></u></p><p style="font-family:sans-serif;font-size:12.8px"><u></u> <u></u></p><p style="font-family:sans-serif;font-size:12.8px;background:rgb(43,43,43)"><span style="font-size:10pt;font-family:'dejavu sans mono';color:rgb(232,191,106)"><authorization><br>    <name></span><span style="font-size:10pt;font-family:'dejavu sans mono';color:rgb(169,183,198)">Roles items read authorizations</span><span style="font-size:10pt;font-family:'dejavu sans mono';color:rgb(232,191,106)"></name><br>    <description></span><span style="font-size:10pt;font-family:'dejavu sans mono';color:rgb(169,183,198)">Authorization to read roles which are assigned to the user with approver relation</span><span style="font-size:10pt;font-family:'dejavu sans mono';color:rgb(232,191,106)"></description><br>    <action></span><span style="font-size:10pt;font-family:'dejavu sans mono';color:rgb(169,183,198)"><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read%3C/action" style="text-decoration-line:none;color:rgb(66,133,244)"><span style="color:rgb(169,183,198)">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</span><span style="color:rgb(232,191,106)"></action</span></a></span><span style="font-size:10pt;font-family:'dejavu sans mono';color:rgb(232,191,106)">><u></u><u></u></span></p><pre style="white-space:pre-wrap;margin:0cm 0cm 0.0001pt;font-size:10pt;font-family:"courier new";background:rgb(43,43,43)"><span style="font-family:'dejavu sans mono';color:rgb(232,191,106)">    <enforcementStrategy></span><span style="font-family:'dejavu sans mono';color:rgb(169,183,198)">maySkipOnSearch</span><span style="font-family:'dejavu sans mono';color:rgb(232,191,106)"></enforcementStrategy><br>    <object><br>        <type></span><span style="font-family:'dejavu sans mono';color:rgb(169,183,198)">RoleType</span><span style="font-family:'dejavu sans mono';color:rgb(232,191,106)"></type><br>        <roleRelation><br>            <subjectRelation></span><span style="font-family:'dejavu sans mono';color:rgb(169,183,198)">org:approver</span><span style="font-family:'dejavu sans mono';color:rgb(232,191,106)"></subjectRelation><br>            <includeMembers></span><span style="font-family:'dejavu sans mono';color:rgb(169,183,198)">false</span><span style="font-family:'dejavu sans mono';color:rgb(232,191,106)"></includeMembers><br>            <includeReferenceRole></span><span style="font-family:'dejavu sans mono';color:rgb(169,183,198)">true</span><span style="font-family:'dejavu sans mono';color:rgb(232,191,106)"></includeReferenceRole><br>        </roleRelation><br>    </object><br></authorization></span><span style="font-family:'dejavu sans mono';color:rgb(169,183,198)"><u></u><u></u></span></pre><p style="font-family:sans-serif;font-size:12.8px"><u></u> <u></u></p><p style="font-family:sans-serif;font-size:12.8px">I was able to workaround this with the following authorization using the inOid filter :<u></u><u></u></p><p style="font-family:sans-serif;font-size:12.8px"><u></u> <u></u></p><pre style="white-space:pre-wrap;margin:0cm 0cm 0.0001pt;font-size:10pt;font-family:"courier new";background:rgb(43,43,43)"><span style="font-family:'dejavu sans mono';color:rgb(232,191,106)"><authorization><br>    <name></span><span style="font-family:'dejavu sans mono';color:rgb(169,183,198)">Roles items read authorizations</span><span style="font-family:'dejavu sans mono';color:rgb(232,191,106)"></name><br>    <description></span><span style="font-family:'dejavu sans mono';color:rgb(169,183,198)">Authorization to read roles which are assigned to the user with approver relation</span><span style="font-family:'dejavu sans mono';color:rgb(232,191,106)"></description><br>    <action></span><span style="font-family:'dejavu sans mono';color:rgb(169,183,198)"><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read" style="text-decoration-line:none;color:rgb(66,133,244)">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></span><span style="font-family:'dejavu sans mono';color:rgb(232,191,106)"></action><br>    <object><br>        <type></span><span style="font-family:'dejavu sans mono';color:rgb(169,183,198)">RoleType</span><span style="font-family:'dejavu sans mono';color:rgb(232,191,106)"></type><br>        <filter><br>            <</span><span style="font-family:'dejavu sans mono';color:rgb(152,118,170)">q</span><span style="font-family:'dejavu sans mono';color:rgb(232,191,106)">:inOid><br>                <expression><br>                    <script><br>                        <code><span style="background:rgb(54,65,53)"><br>                            </span></span><span style="font-family:'dejavu sans mono';color:rgb(169,183,198);background:rgb(54,65,53)">roleOids = []<br><br>                            // construction of the list of Roles OIDs which the user can read <br><br>                            // for each user assignment<br>                            for (int it = 0; it </span><span style="font-family:'dejavu sans mono';color:rgb(109,156,190);background:rgb(54,65,53)">&lt; </span><span style="font-family:'dejavu sans mono';color:rgb(169,183,198);background:rgb(54,65,53)">actor.assignment.targetRef.size(); it++) {<br>                                // if the assignment/role has an approver relation, add the role oid to the list <br>                                if (actor.assignment.targetRef[it].relation.toString().contains("approver")){<br>                                    roleOid = actor.assignment[it].targetRef.getOid()<br>                                    roleOids.add(roleOid)<br>                                }<br>                            }<br>                            return roleOids<br>                        </span><span style="font-family:'dejavu sans mono';color:rgb(232,191,106)"></code><br>                    </script><br>                </expression><br>            </</span><span style="font-family:'dejavu sans mono';color:rgb(152,118,170)">q</span><span style="font-family:'dejavu sans mono';color:rgb(232,191,106)">:inOid><br>        </filter><br>    </object><br></authorization></span><span style="font-family:'dejavu sans mono';color:rgb(169,183,198)"><u></u><u></u></span></pre><p style="font-family:sans-serif;font-size:12.8px"><u></u> <u></u></p><p style="font-family:sans-serif;font-size:12.8px">This works but feels a little bit hacky to me. Is there a better approach?<u></u><u></u></p><p style="font-family:sans-serif;font-size:12.8px"><u></u> -Frederic</p></div>