Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-4938

Setting delegation requires seeing all assignments

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: backlog
    • Component/s: None
    • Labels:
      None

      Description

      I have found one security issue, maybe further to be discussed. When setting delegations onto someone else Im instantly granted permission to view his/her assignments. This might be vulnerability how to circumvent that users are not eligible to see each other's assignments (very common usecase in IdM deployments). Setting delegation is not approved execution usually. Maybe this autz should be limited to only relation=deputy assignments:

      <authorization>
      		<name>delegator-read-delagate-assignments</name>
      		<description>
          		Authorization to read the assignments and assignment-related items from my delegates.
          		This authorization is necessary so the self-service GUI can properly display user's
          		delegations. Delegations are in fact assignments in the delegate object, not delegator
          		object. Therefore authorization to read just "self" will not display the delegations.
          	</description>
      		<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
      		<object>
      			<type>UserType</type>
      			<delegator>
      				<special>self</special>
      				<allowInactive>true</allowInactive>
      			</delegator>
      		</object>
      		<item>assignment</item>
      		<item>delegatedRef</item>
      	</authorization>
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              martin.lizner Martin Lizner
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: