Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-1904

Delegated administration and owner filter to filter shadows does not work

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 3.0 (Newton)
    • 3.0 (Newton)
    • None
    • None

    Description

      This is a continuation of MID-1873.
      The roles does not allow the administrator with this role assigned to view/edit shadows.

      The shadows should be accessible using the following authorization:

      <!-- Authorization to Read, Add, Modify and Delete Shadows -->
          <authorization>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
              <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
              <object>
                  <type>ShadowType</type>
      <!-- Accounts which owner is User of employeeType EXAMPLE|Vendor|System -->
                  <owner>
                      <type>UserType</type>
                      <filter>
                          <q:or>
                              <q:equal>
                                  <q:path>employeeType</q:path>
                                  <q:value>EXAMPLE</q:value>
                              </q:equal>
                              <q:equal>
                                  <q:path>employeeType</q:path>
                                  <q:value>Vendor</q:value>
                              </q:equal>
                              <q:equal>
                                  <q:path>employeeType</q:path>
                                  <q:value>System</q:value>
                              </q:equal>
      		    </q:or>
                      </filter>
              </owner>
              </object>
          </authorization>
      
      

      After logging in with this role assigned, attempt to edit user shows user attributes, but accounts are not displayed:

      Couldn't load account.Access denied: Access denied
      
          Load account (Gui)
          Cause:
      
          Access denied
      
          [ SHOW ERROR STACK ]
          Collapse all Expand all Export to XML
      
          Get object (Model)
          Get object (Model)
              Access denied
              Param: oid: b6051025-744e-4fcf-a417-383845662f1c
              Param: class: class com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType
              Param: options: 
              Cause:
      
              Access denied
              [ HIDE ERROR STACK ]
      
              com.evolveum.midpoint.util.exception.SecurityViolationException: Access denied
              at com.evolveum.midpoint.model.impl.controller.ModelController.postProcessObject(ModelController.java:1470)
              at com.evolveum.midpoint.model.impl.controller.ModelController.getObject_aroundBody0(ModelController.java:302)
              at com.evolveum.midpoint.model.impl.controller.ModelController$AjcClosure1.run(ModelController.java:1)
              at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
              at com.evolveum.midpoint.util.aspect.MidpointAspect.wrapSubsystem(MidpointAspect.java:192)
              at com.evolveum.midpoint.util.aspect.MidpointAspect.ajc$inlineAccessMethod$com_evolveum_midpoint_util_aspect_MidpointAspect$com_evolveum_midpoint_util_aspect_MidpointAspect$wrapSubsystem(MidpointAspect.java:1)
              at com.evolveum.midpoint.util.aspect.MidpointAspect.processModelNdc(MidpointAspect.java:77)
              at com.evolveum.midpoint.model.impl.controller.ModelController.getObject(ModelController.java:253)
              at sun.reflect.GeneratedMethodAccessor490.invoke(Unknown Source)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      

      Attachments

        Issue Links

          Activity

            People

              vix Ivan Noris
              vix Ivan Noris
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: