Menu
▾
▴
Re: [Unity-idm-discuss] Inspector is not authorized to read members in unity 2.8.2
|
From: Sander A. <sa....@fz...> - 2020-01-02 06:34:34
|
Dear Krzysztof, first of all I wish you a happy new year and all the best for 2020. Upgrading to privileged inspector would be ok, but I don't have this role anymore. The drop down list does not contain it. It is still listed in the explanation of the roles, but not available. Cheers, Sander On Fri, 2019-12-27 at 16:50 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 19.12.2019 o 13:07, Sander Apweiler pisze: > > Dear Krzysztof, > > > > we have some users who has Inspector privileges. Since we updated > > to > > unity 2.8.2 this users got the error "Not authorized to read > > members of > > the group" when they try to view the users in admin endpoint. Was > > this > > changed behaviour planed? > > Yes. > > We have added a lot of optimizations in recent versions, in order to > have a fast operation on huge groups. A side effect of this is that > in > both adminUI and the new console browsing of groups contents requires > a > slightly higher privilege. Previously we had a very detailed > filtering > of data returned for role of inspector. Now it was simplified, and > while > authorization works in the same way (i.e. Inspector can access the > same > data it could before) it is not enough to use Console UI/Admin UI > which > are using simplier API for performance. We could also support the > original Inspector role, but it would require a separate optimized > implementation and at the same time we believe that AdminUI/Console > should be rather used by privileged users. > > The solution is quite straightforward: the "Privileged inspector" > role > has enough capabilities to use console/adminUI in RO mode, so use it > for > RO users of Console/AdminUI. The "Inspector" role is still useful as > a > more limited user on REST API. The difference between the two roles > is > that Privileged inspector can read also some of the data "hidden" > from > outside world, like disabled entities, which are not shown to the > plain > "Inspector". > > HTH, > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
