Task #1131
closedInsufficient privileges for the request approver
100%
Description
Version: 8.1.0
When adding a new automatic role by organisation, the request for the role authorizer was created }the role has Priority 2). But the role authorizer could not open the task due to insufficient privileges, please see the screenshot.
I tried to set the userRole according to this:https://wiki.czechidm.com/devel/documentation/roles/dev/automatic_role_request#request_approver
but it wasn't enough.
I had to add following permissions to be able to view the task:
- Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) - Read - BasePermissionEvaluator
- Requests for automatic roles (IdmAutomaticRoleRequest) - Read - BasePermissionEvaluator
Please check it, why the settings according to the wiki isn't enough (or update the wiki).
Files
Updated by Alena Peterová over 6 years ago
- Category set to Roles
- Assignee set to Vít Švanda
Updated by Vít Švanda over 6 years ago
- Status changed from New to Needs feedback
- Assignee changed from Vít Švanda to Alena Peterová
- Target version set to Lapis (8.2.0)
I have tried this case and for me it works correctly.
Did you set the permissions by the last article in that wiki page (https://wiki.czechidm.com/devel/documentation/roles/dev/automatic_role_request#request_approver)?
There is described that the 'IdmAutomaticRoleAttributeRuleRequest' with evaluator 'AutomaticRoleRequestByWfInvolvedIdentityEvaluator' is needed.
Updated by Alena Peterová over 6 years ago
- File userRole_permissions.png userRole_permissions.png added
- Assignee changed from Alena Peterová to Vít Švanda
That combination doesn't exist when configuring permissions for the role. There is:
'IdmAutomaticRoleAttributeRuleRequest' - 'AutomaticRoleRuleRequestByRequestEvaluator'
and
'IdmAutomaticRoleRequest' - 'AutomaticRoleRequestByWfInvolvedIdentityEvaluator'
I set both to userRole as you can see on the screenshot and still get Insufficient privileges...
Updated by Vít Švanda over 6 years ago
- You have right, the combination AutomaticRoleRequestByWfInvolvedIdentityEvaluator and IdmAutomaticRoleRequest is that you primary needs.
- Your problem is that you didn't assign any permissions (use Read). I agree this is not explicitly write in the wiki. I added this information.
Updated by Vít Švanda over 6 years ago
- Assignee changed from Vít Švanda to Alena Peterová
Updated by Alena Peterová over 6 years ago
- File missing_task_name_role_with_criticality_3.png missing_task_name_role_with_criticality_3.png added
- File missing_task_name_wf_identifier.png missing_task_name_wf_identifier.png added
Thanks, that was it.
I think this permission should be a part of the "userRole" settings (https://wiki.czechidm.com/devel/documentation/security/dev/authorization#default_settings_of_permissions_for_an_identity_profile), or can you see some reason why not?
- The task name is empty, when I set automatic role with priority 3 (see missing_task_name_role_with_criticality_3.png). But the workflow identifier is not empty (see missing_task_name_wf_identifier.png). Maybe missing localization?
- Role name is not visible in the automatic role request (see show_role_name_automatic_role_request.png), but it is visible in the role assignment request for the same role (show_role_name_role_assignment.png).
- Note: The userRole doesn't have autocomplete for all roles, only for the roles with "Can be requested" flag. I think I can't add autocomplete on all roles, otherwise users could request for all roles.
- Audit -> Automatic Roles -> the table was empty when logged as the request approver with basic settings. He could see the approval task correctly, but this table was empty.
Updated by Alena Peterová over 6 years ago
- Assignee changed from Alena Peterová to Vít Švanda
Updated by Alena Peterová over 6 years ago
Updated by Vít Švanda over 6 years ago
- Assignee changed from Vít Švanda to Alena Peterová
- % Done changed from 0 to 90
- I think this permission should be a part of the "userRole" settings - I agree. I added this settings to (https://wiki.czechidm.com/devel/documentation/security/dev/authorization#default_settings_of_permissions_for_an_identity_profile).
- Task is empty - You have right, name of task is empty. Problem is not in the localization but in the workflow process where missing expression in the UserTask documentation field (this field is uses to dynamicle name of task).
- I fixed that workflow "approveRoleByAuthorizerAndSecurity".
- I added fuse, if task description will be missing, then name of task will be using.
https://github.com/bcvsolutions/CzechIdMng/commit/fcc73b514c36789f4aa9ac157245cae88aee49f8
- (I created new task for it #1180) - Role name is not visible in the automatic role request - By default, we assumes that all role requests are for roles witch can be requested.
- For your cause you need new permission evaluator something as "RoleByWfInvolvedIdentityEvaluator", but there is problem, becaouse the role does not have relation to the workflow process.
- Name of role could be filled on the backend (in the roleRequest). Same approche is used in the detail of task for approving a role (there is name of role sets in the workflow).
- Audit -> Automatic Roles -> the table was empty - This is correct. User approving the request has rights on that request, becouse has right on task. This is achived by 'AutomaticRoleRequestByWfInvolvedIdentityEvaluator', but that works only for get request by specific UUID, not as filter. We cannot create hibernate predicate for Activiti tables (we does not have mapped this tables). So that is reason why list of automatic role requests are empty.
Updated by Radek Tomiška over 6 years ago
- Assignee changed from Alena Peterová to Radek Tomiška
Updated by Vít Švanda over 6 years ago
- Status changed from Needs feedback to Closed
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 90 to 100