Project

General

Profile

Actions

Task #1131

closed

Insufficient privileges for the request approver

Added by Alena Peterová almost 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Low
Assignee:
Vít Švanda
Category:
Roles
Target version:
Start date:
06/11/2018
Due date:
% Done:

100%

Estimated time:
Owner:

Description

Version: 8.1.0

When adding a new automatic role by organisation, the request for the role authorizer was created }the role has Priority 2). But the role authorizer could not open the task due to insufficient privileges, please see the screenshot.

I tried to set the userRole according to this:
https://wiki.czechidm.com/devel/documentation/roles/dev/automatic_role_request#request_approver
but it wasn't enough.
I had to add following permissions to be able to view the task:
  • Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) - Read - BasePermissionEvaluator
  • Requests for automatic roles (IdmAutomaticRoleRequest) - Read - BasePermissionEvaluator

Please check it, why the settings according to the wiki isn't enough (or update the wiki).


Files

automatic_role_request.png (67.3 KB) automatic_role_request.png Alena Peterová, 06/11/2018 05:42 PM
userRole_permissions.png (75.4 KB) userRole_permissions.png Alena Peterová, 06/12/2018 05:50 PM
missing_task_name_role_with_criticality_3.png (35.4 KB) missing_task_name_role_with_criticality_3.png Alena Peterová, 06/18/2018 01:29 PM
missing_task_name_wf_identifier.png (52.4 KB) missing_task_name_wf_identifier.png Alena Peterová, 06/18/2018 01:29 PM
show_role_name_role_assignment.png (46.9 KB) show_role_name_role_assignment.png Alena Peterová, 06/18/2018 01:37 PM
show_role_name_automatic_role_request.png (42.2 KB) show_role_name_automatic_role_request.png Alena Peterová, 06/18/2018 01:37 PM
Actions #1

Updated by Alena Peterová almost 6 years ago

  • Category set to Roles
  • Assignee set to Vít Švanda
Actions #2

Updated by Vít Švanda almost 6 years ago

  • Status changed from New to Needs feedback
  • Assignee changed from Vít Švanda to Alena Peterová
  • Target version set to Lapis (8.2.0)

I have tried this case and for me it works correctly.

Did you set the permissions by the last article in that wiki page (https://wiki.czechidm.com/devel/documentation/roles/dev/automatic_role_request#request_approver)?
There is described that the 'IdmAutomaticRoleAttributeRuleRequest' with evaluator 'AutomaticRoleRequestByWfInvolvedIdentityEvaluator' is needed.

Actions #3

Updated by Alena Peterová almost 6 years ago

That combination doesn't exist when configuring permissions for the role. There is:
'IdmAutomaticRoleAttributeRuleRequest' - 'AutomaticRoleRuleRequestByRequestEvaluator'
and
'IdmAutomaticRoleRequest' - 'AutomaticRoleRequestByWfInvolvedIdentityEvaluator'

I set both to userRole as you can see on the screenshot and still get Insufficient privileges...

Actions #4

Updated by Vít Švanda almost 6 years ago

  • You have right, the combination AutomaticRoleRequestByWfInvolvedIdentityEvaluator and IdmAutomaticRoleRequest is that you primary needs.
  • Your problem is that you didn't assign any permissions (use Read). I agree this is not explicitly write in the wiki. I added this information.
Actions #5

Updated by Vít Švanda almost 6 years ago

  • Assignee changed from Vít Švanda to Alena Peterová
Actions #6

Updated by Alena Peterová almost 6 years ago

Thanks, that was it.
I think this permission should be a part of the "userRole" settings (https://wiki.czechidm.com/devel/documentation/security/dev/authorization#default_settings_of_permissions_for_an_identity_profile), or can you see some reason why not?

A few more feedbacks found from testing (low priority):
  • The task name is empty, when I set automatic role with priority 3 (see missing_task_name_role_with_criticality_3.png). But the workflow identifier is not empty (see missing_task_name_wf_identifier.png). Maybe missing localization?
  • Role name is not visible in the automatic role request (see show_role_name_automatic_role_request.png), but it is visible in the role assignment request for the same role (show_role_name_role_assignment.png).
    • Note: The userRole doesn't have autocomplete for all roles, only for the roles with "Can be requested" flag. I think I can't add autocomplete on all roles, otherwise users could request for all roles.
  • Audit -> Automatic Roles -> the table was empty when logged as the request approver with basic settings. He could see the approval task correctly, but this table was empty.
Actions #7

Updated by Alena Peterová almost 6 years ago

  • Assignee changed from Alena Peterová to Vít Švanda
Actions #9

Updated by Vít Švanda over 5 years ago

  • Assignee changed from Vít Švanda to Alena Peterová
  • % Done changed from 0 to 90
  • Task is empty - You have right, name of task is empty. Problem is not in the localization but in the workflow process where missing expression in the UserTask documentation field (this field is uses to dynamicle name of task).
  • (I created new task for it #1180) - Role name is not visible in the automatic role request - By default, we assumes that all role requests are for roles witch can be requested.
    • For your cause you need new permission evaluator something as "RoleByWfInvolvedIdentityEvaluator", but there is problem, becaouse the role does not have relation to the workflow process.
    • Name of role could be filled on the backend (in the roleRequest). Same approche is used in the detail of task for approving a role (there is name of role sets in the workflow).
  • Audit -> Automatic Roles -> the table was empty - This is correct. User approving the request has rights on that request, becouse has right on task. This is achived by 'AutomaticRoleRequestByWfInvolvedIdentityEvaluator', but that works only for get request by specific UUID, not as filter. We cannot create hibernate predicate for Activiti tables (we does not have mapped this tables). So that is reason why list of automatic role requests are empty.
Actions #10

Updated by Radek Tomiška over 5 years ago

  • Assignee changed from Alena Peterová to Radek Tomiška
Actions #11

Updated by Vít Švanda over 5 years ago

  • Status changed from Needs feedback to Closed
  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 90 to 100
Actions

Also available in: Atom PDF