<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello Yakov,</p>
<p>you are right. The application of get/search distinction is not
sufficient here.</p>
<p>There are two options:</p>
<ol>
<li>You can run the expression under a user with higher privileges
(even the administrator) - look for "runAsRef" item. But beware,
this incurs a login operation each time the expression is
evaluated (could take up to tens of milliseconds).</li>
<li>You can invoke OrgStructFunctions#getManagersOidsExceptUser
directly, with the second parameter ("preAuthorized") set to
true. The implementation is really ugly and probably not much
tested (I created it many years ago), but nevertheless, it
should work.</li>
</ol>
<p>Option 1 is going to be fixed by something like "runAsPrivileged"
coming in 4.8. But we're not there yet.</p>
<p>Best regards,<br>
</p>
<pre class="moz-signature" cols="72">--
Pavol Mederly
Software developer
evolveum.com</pre>
<div class="moz-cite-prefix">On 12/05/2023 15:35, Yakov Revyakin via
midPoint wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CALXvSnu=3tdc4ehz0UdOU+DkvAiajmi_2_q1Whn=4U+mvA_1eg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi Pavol, thanks to your answer
I took a step forward in understanding the concept. But, still
without a final solution.
<div><br>
</div>
<div>So, to limit the list of available users during role
shopping we limit the "search" authorization. For example, to
limit this list always by self and "test" we need to add one
extra authorization in addition to the End-User role which
provides the following authorization: #read (#search + #get)
for self, #get for any user).</div>
<div><br>
</div>
<div><authorization><br>
<action><a
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#search"
target="_blank" moz-do-not-send="true">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3<b>#search</b></a></action><br>
<object><br>
<type>UserType</type><br>
<filter><br>
<q:equal><br>
<q:path>name</q:path><br>
<expression><br>
<value><b>test</b></value><br>
</expression><br>
</q:equal><br>
</filter><br>
</object><br>
</authorization><br>
<div><br>
</div>
<div>User list shows 2 available users - very nice.</div>
<div><br>
</div>
<div>I don't understand how this can help to get a non-empty
list with "midpoint.getManagersOidsExceptUser(object)"</div>
<div>To get it I must add #search to "manager" user. This, in
its turn, adds an additional user to the list and this is
not what I expect.</div>
<div><br>
</div>
<div>What I missed again?</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, 10 May 2023 at 09:24,
Pavol Mederly via midPoint <<a
href="mailto:midpoint@lists.evolveum.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">midpoint@lists.evolveum.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello
Yakov,<br>
<br>
please check the docs. There's a nice explanation of various
flavors of <br>
"read" authorization, covering exactly your use case.<br>
<br>
Best regards,<br>
<br>
-- <br>
Pavol Mederly<br>
Software developer<br>
<a href="http://evolveum.com" rel="noreferrer" target="_blank"
moz-do-not-send="true">evolveum.com</a><br>
<br>
On 09/05/2023 18:13, Yakov Revyakin via midPoint wrote:<br>
> Hi all,<br>
> I'm looking for a way to authorize a user to read their
own managers.<br>
><br>
> In case of a role request for self (with assigned
built-in End-User <br>
> role) we can see in UI, clicking on button "Requesting
for", that <br>
> users' list is limited by self.<br>
> In metarole I have definition:<br>
><br>
> <approverExpression><br>
> <script><br>
> <code><br>
> return <br>
> midpoint.getManagersOidsExceptUser(object)<br>
> </code><br>
> </script><br>
> </approverExpression><br>
>
<evaluationStrategy>firstDecides</evaluationStrategy><br>
>
<outcomeIfNoApprovers>reject</outcomeIfNoApprovers><br>
><br>
> If the user requests a role, getManagersOidsExceptUser()
can't return <br>
> managers because it is not authorized. This results in
automatic <br>
> rejection of the request.<br>
> If I'm adding something like this:<br>
><br>
> <authorization><br>
> <br>
> <action><a
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
> <object><br>
> <type>UserType</type><br>
> </object><br>
> </authorization><br>
><br>
> getManagersOidsExceptUser() returns managers correctly.
But, clicking <br>
> on the button "Requesting for" I can see all existing
users. But I <br>
> still want to see only myself in the list.<br>
><br>
> How to get the user authorized to read own managers? And,
at the same <br>
> time, not to break user list under the "Requesting for"
button with <br>
> extra users?<br>
><br>
> Thanks,<br>
> Yakov<br>
><br>
> _______________________________________________<br>
> midPoint mailing list<br>
> <a href="mailto:midPoint@lists.evolveum.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">midPoint@lists.evolveum.com</a><br>
> <a
href="https://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body>
</html>