Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-1873

Delegated administration does not allow to view/edit the organization in OrgTree

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 3.0 (Newton)
    • 3.0 (Newton)
    • None
    • None
    • git-v2.3devel-1998-gf9d7158

    Description

      The security role is as follows:

      <role oid="00000000-dc00-dc00-0004-000000000019" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
              xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
          <name>CUSTOMER SUPPORT</name>    
      <!-- GUI -->
          <authorization>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users</action> 
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user</action> 
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit</action>
          </authorization>
      
      <!-- Model -->
      <!-- Authorization to Read, Add, Modify and Delete Users, employeeType=Vendor|CUSTOMER|System -->
          <authorization>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
              <object>
                  <type>UserType</type>
                  <filter>
                      <q:or>
                          <q:equal>
                              <q:path>employeeType</q:path>
                              <q:value>CUSTOMER</q:value>
                          </q:equal>
                          <q:equal>
                              <q:path>employeeType</q:path>
                              <q:value>Vendor</q:value>
                          </q:equal>
                          <q:equal>
                              <q:path>employeeType</q:path>
                              <q:value>System</q:value>
                          </q:equal>
      		</q:or>
                  </filter>
              </object>
          </authorization>
      <!-- Authorization to Read roles (to display assigned roles). GUI authorization limits the usage on pages. -->
          <authorization>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
              <object>
                  <type>RoleType</type>
              </object>
          </authorization>
      <!-- Authorization to Read, Add, Modify and Delete Shadows -->
          <authorization>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
              <object>
                  <type>ShadowType</type>
              </object>
          </authorization>
      <!-- Authorization to Read, Add, Modify and Delete Organizations. -->
          <authorization>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
              <object>
                  <type>OrgType</type>
              </object>
          </authorization>
      <!-- Authorization to Read Objects TODO: why we need this in Org list ?? -->
          <authorization>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
              <object>
                  <type>ObjectType</type>
              </object>
          </authorization>
      </role>
      

      Notice the authorization at the end:

          <authorization>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
              <object>
                  <type>ObjectType</type>
              </object>
          </authorization>
      

      This one is needed to display the object in the right part of the org tree page. But even if they are displayed, only users can be viewed/edited in the right part of the tree. Not the organizations.

      Clicking on organization produces:

      2014-05-07 09:46:20,662 [] [http-bio-8080-exec-1] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): AUTZ: evaluating authorization principal=MidPointPrincipal(
      user:3576232a-7c16-4a02-a9b5-8e5393cb52d4(customer.support@example.com), autz=[[http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users, http://midpoint.evolveum.
      com/xml/ns/public/security/authorization-3#user, http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails, http://midpoint.evolveum.com/xml/ns/public/se
      curity/authorization-3#orgTree, http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit]), [http://midpoint.evolveum.com/xml/ns/public/security/authorizati
      on-model-3#read, http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add, http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modif
      y, http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete]), [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read]), [http
      ://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read, http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add, http://midpoint.evol
      veum.com/xml/ns/public/security/authorization-model-3#modify, http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete]), [http://midpoint.evolveum.com
      /xml/ns/public/security/authorization-model-3#read, http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify, http://midpoint.evolveum.com/xml/ns/publi
      c/security/authorization-model-3#add, http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete]), [http://midpoint.evolveum.com/xml/ns/public/security/
      authorization-model-3#read]), [http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#dashboard, http://midpoint.evolveum.com/xml/ns/public/security/authorization
      -3#myPasswords])]), op=isFullyAuthenticated(), phase=REQUEST, object=null, delta=null, target=null
      . . .
      2014-05-07 09:46:20,663 [] [http-bio-8080-exec-1] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [http://midpoint.evolveum.com/xml/
      ns/public/security/authorization-model-3#read])
      2014-05-07 09:46:20,663 [] [http-bio-8080-exec-1] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization not applicable for operation isFullyAuthent
      icated()
      2014-05-07 09:46:20,663 [] [http-bio-8080-exec-1] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): Evaluating authorization [http://midpoint.evolveum.com/xml/
      ns/public/security/authorization-3#dashboard, http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#myPasswords])
      2014-05-07 09:46:20,663 [] [http-bio-8080-exec-1] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl):   Authorization not applicable for operation isFullyAuthent
      icated()
      2014-05-07 09:46:20,663 [] [http-bio-8080-exec-1] TRACE (com.evolveum.midpoint.security.impl.SecurityEnforcerImpl): AUTZ result: principal=MidPointPrincipal(user:3576232a-7c16-4a02-a9b5-8e5393cb52d4(customer.support@example.com), autz=[[http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#users, http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#user, http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#userDetails, http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgTree, http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#orgUnit]), [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read, http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add, http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify, http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete]), [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read]), [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read, http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add, http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify, http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete]), [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read, http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify, http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add, http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete]), [http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read]), [http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#dashboard, http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#myPasswords])]), operation=isFullyAuthenticated(): false
      

      and "Error forbidden (403)" page is displayed in midPoint GUI.

      Attachments

        Issue Links

          Activity

            People

              vix Ivan Noris
              vix Ivan Noris
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: