Re: [Unity-idm-discuss] Inspector is not authorized to read members in unity 2.8.2

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 19.12.2019 o 13:07, Sander Apweiler pisze:
> Dear Krzysztof,
>
> we have some users who has Inspector privileges. Since we updated to
> unity 2.8.2 this users got the error "Not authorized to read members of
> the group" when they try to view the users in admin endpoint. Was this
> changed behaviour planed?

Yes.

We have added a lot of optimizations in recent versions, in order to 
have a fast operation on huge groups. A side effect of this is that in 
both adminUI and the new console browsing of groups contents requires a 
slightly higher privilege. Previously we had a very detailed filtering 
of data returned for role of inspector. Now it was simplified, and while 
authorization works in the same way (i.e. Inspector can access the same 
data it could before) it is not enough to use Console UI/Admin UI which 
are using simplier API for performance. We could also support the 
original Inspector role, but it would require a separate optimized 
implementation and at the same time we believe that AdminUI/Console 
should be rather used by privileged users.

The solution is quite straightforward: the "Privileged inspector" role 
has enough capabilities to use console/adminUI in RO mode, so use it for 
RO users of Console/AdminUI. The "Inspector" role is still useful as a 
more limited user on REST API. The difference between the two roles is 
that Privileged inspector can read also some of the data "hidden" from 
outside world, like disabled entities, which are not shown to the plain 
"Inspector".

HTH,
Krzysztof