Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-4893

Autz case from 3.7 not working

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.9
    • Component/s: None
    • Labels:
    • Subscription:
      Active subscription

      Description

      We are unable to achieve this scenario in 3.9 anymore:

      • Endusers are not allowed to see relation=default user-role assignments. Except - when they are org managers. (in other words seeing other user's role is sensitive information)
      • Endusers can see any user-role assignments as long as those assignments are owner or approver relation (in other words anybody can see who is role approver). Relation column in Governance tab is filled with values.
      • Apart from being manager, we have also dynamic autz on endusers that are e.g. role owners - they can see default members with this autz:

      <authorization>
      <name>appr-read-users-rolemembershipref APPROVER</name>
      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
      <enforcementStrategy>maySkipOnSearch</enforcementStrategy>
      <object>
      <type>UserType</type>
      <roleRelation>
      <subjectRelation>org:approver</subjectRelation>
      <objectRelation>org:default</objectRelation>
      </roleRelation>
      </object>
      <item>roleMembershipRef</item>
      </authorization>

      In 3.9 Members tab is no longer dynamic. Possibly because roleMembershipRef is operational?

      Also Show all members button in Assignments tab does not respect any autz.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              martin.lizner Martin Lizner
              Reporter:
              martin.lizner Martin Lizner
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: