Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-2790

Implement owner-based security restrictions for resource searches

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: backlog
    • Component/s: Security
    • Labels:
      None

      Description

      Currently it is possible to specify a restriction "owner = self" for shadows, like this:

      <authorization>
          	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
          	<object>
          		<type>ShadowType</type>
          		<owner>
          			<special>self</special>
          		</owner>
          	</object>
      </authorization>
      

      However, after executing a search of this type, all shadows are returned. Those that are not owned by the user, are returned empty, with a fetch result = FATAL_ERROR: Access denied.

      It would be better if only relevant shadows were returned. (Although the condition 'owner = self' cannot be obviously implemented within search filter that is evaluated on the resource.)

      See also TestSecurity.test250AutzJackSelfAccountsRead.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              mederly Pavol Mederly
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: