<div dir="ltr">Hi Pavol,<br><div>Thanks a lot - runAsRef solved my problem. I completely forgot about this option.</div><div>I remember that could see OrgStructFunctions#getManagersOidsExceptUser with preauthorized param when debugged and that time didn't understand the purpose of this option. <br></div><div>Yakov</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 12 May 2023 at 16:44, Pavol Mederly via midPoint <<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
  
    
  
  <div>
    <p>Hello Yakov,</p>
    <p>you are right. The application of get/search distinction is not
      sufficient here.</p>
    <p>There are two options:</p>
    <ol>
      <li>You can run the expression under a user with higher privileges
        (even the administrator) - look for "runAsRef" item. But beware,
        this incurs a login operation each time the expression is
        evaluated (could take up to tens of milliseconds).</li>
      <li>You can invoke OrgStructFunctions#getManagersOidsExceptUser
        directly, with the second parameter ("preAuthorized") set to
        true. The implementation is really ugly and probably not much
        tested (I created it many years ago), but nevertheless, it
        should work.</li>
    </ol>
    <p>Option 1 is going to be fixed by something like "runAsPrivileged"
      coming in 4.8. But we're not there yet.</p>
    <p>Best regards,<br>
    </p>
    <pre cols="72">-- 
Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a></pre>
    <div>On 12/05/2023 15:35, Yakov Revyakin via
      midPoint wrote:<br>
    </div>
    <blockquote type="cite">
      
      <div dir="ltr">Hi Pavol, thanks to your answer
        I took a step forward in understanding the concept. But, still
        without a final solution.
        <div><br>
        </div>
        <div>So, to limit the list of available users during role
          shopping we limit the "search" authorization. For example, to
          limit this list always by self and "test" we need to add one
          extra authorization in addition to the End-User role which
          provides the following authorization: #read (#search + #get)
          for self, #get for any user).</div>
        <div><br>
        </div>
        <div><authorization><br>
              <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#search" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3<b>#search</b></a></action><br>
              <object><br>
                  <type>UserType</type><br>
                  <filter><br>
                      <q:equal><br>
                          <q:path>name</q:path><br>
                          <expression><br>
                              <value><b>test</b></value><br>
                          </expression><br>
                      </q:equal><br>
                  </filter><br>
              </object><br>
          </authorization><br>
          <div><br>
          </div>
          <div>User list shows 2 available users - very nice.</div>
          <div><br>
          </div>
          <div>I don't understand how this can help to get a non-empty
            list with "midpoint.getManagersOidsExceptUser(object)"</div>
          <div>To get it I must add #search to "manager" user. This, in
            its turn, adds an additional user to the list and this is
            not what I expect.</div>
          <div><br>
          </div>
          <div>What I missed again?</div>
          <div><br>
          </div>
        </div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div><br>
        </div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr" class="gmail_attr">On Wed, 10 May 2023 at 09:24,
          Pavol Mederly via midPoint <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>>
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello
          Yakov,<br>
          <br>
          please check the docs. There's a nice explanation of various
          flavors of <br>
          "read" authorization, covering exactly your use case.<br>
          <br>
          Best regards,<br>
          <br>
          -- <br>
          Pavol Mederly<br>
          Software developer<br>
          <a href="http://evolveum.com" rel="noreferrer" target="_blank">evolveum.com</a><br>
          <br>
          On 09/05/2023 18:13, Yakov Revyakin via midPoint wrote:<br>
          > Hi all,<br>
          > I'm looking for a way to authorize a user to read their
          own managers.<br>
          ><br>
          > In case of a role request for self (with assigned
          built-in End-User <br>
          > role) we can see in UI, clicking on button "Requesting
          for", that <br>
          > users' list is limited by self.<br>
          > In metarole I have definition:<br>
          ><br>
          >                             <approverExpression><br>
          >                                 <script><br>
          >                                     <code><br>
          >                                         return <br>
          > midpoint.getManagersOidsExceptUser(object)<br>
          >                                     </code><br>
          >                                 </script><br>
          >                             </approverExpression><br>
          >
          <evaluationStrategy>firstDecides</evaluationStrategy><br>
          >
          <outcomeIfNoApprovers>reject</outcomeIfNoApprovers><br>
          ><br>
          > If the user requests a role, getManagersOidsExceptUser()
          can't return <br>
          > managers because it is not authorized. This results in
          automatic <br>
          > rejection of the request.<br>
          > If I'm adding something like this:<br>
          ><br>
          >     <authorization><br>
          >         <br>
          > <action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</a></action><br>
          >         <object><br>
          >             <type>UserType</type><br>
          >         </object><br>
          >     </authorization><br>
          ><br>
          > getManagersOidsExceptUser() returns managers correctly.
          But, clicking <br>
          > on the button "Requesting for" I can see all existing
          users. But I <br>
          > still want to see only myself in the list.<br>
          ><br>
          > How to get the user authorized to read own managers? And,
          at the same <br>
          > time, not to break user list under the "Requesting for"
          button with <br>
          > extra users?<br>
          ><br>
          > Thanks,<br>
          > Yakov<br>
          ><br>
          > _______________________________________________<br>
          > midPoint mailing list<br>
          > <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
          > <a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
          _______________________________________________<br>
          midPoint mailing list<br>
          <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
          <a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
        </blockquote>
      </div>
      <br>
      <fieldset></fieldset>
      <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
  </div>

_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>