Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-13238

Using runAs for a user with delegated administration priviledges doesn't seem to return the correct results

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 6.5.0
    • Fix Version/s: 7.0.0, 6.5.0.4
    • Component/s: None
    • Labels:
    • Target Version/s:
    • Verified Version/s:
    • Story Points:
      5
    • Sprint:
      2019.8 - IDM
    • Support Ticket IDs:

      Description

      To replicate the issue:

      • Create new role -> Internal -> viewAllUsersRole -> privileges 
      • Add privileges -> new Privilege -> viewAllUsers 
      • viewAllUsers can View is selected
      • Click on managedUser -> mike
      • Ensure mike has viewAllUsers as an authorisation role.

      Added the runAsProperties block into authentication.json with one change:

       

        "runAsProperties" : {
             "adminRoles" : [
                  "internal/role/openidm-admin",
                  "internal/role/viewAllUsersRole"
                  ],
              "disallowedRunAsRoles" : [
                              ],
              "queryId" : "credential-query",
              "queryOnResource" : "managed/user",
              "propertyMapping" : {
                     "authenticationId" : "username",
                     "userRoles" : "authzRoles"
               },
               "augmentSecurityContext": {
               "type" : "text/javascript",
               "source" :   "require('auth/customAuthz').
      setProtectedAttributes(security)"
                                }
                              }
      

       

      Following request results in list of manageduser ids.

      curl --header "X-OpenIDM-Username: mike" --header "X-OpenIDM-Password: Welcome1"  --request GET "http://localhost:8080/openidm/managed/user?_queryFilter=true" | jq .
      

       

      Follow request results in access denied:

       

      curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --header "X-OpenIDM-RunAs: mike" --request GET "http://localhost:8080/openidm/managed/user?_queryFilter=true" | jq .
      

       

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                katie.gonzalez Katie Gonzalez
                Reporter:
                margaret.rizkalla Margaret Rizkalla
                QA Assignee:
                Son Nguyen
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: