Re: [Unity-idm-discuss] Inspector is not authorized to read members in unity 2.8.2

[Sander A. <sa....@fz...>]

Dear Krzysztof,

On Fri, 2020-01-03 at 12:11 +0100, Krzysztof Benedyczak wrote:
> Dear Sander,
> 
> Happy New Year!
> 
> W dniu 02.01.2020 o 07:34, Sander Apweiler pisze:
> > Dear Krzysztof,
> > first of all I wish you a happy new year and all the best for 2020.
> > 
> > Upgrading to privileged inspector would be ok, but I don't have
> > this
> > role anymore. The drop down list does not contain it. It is still
> > listed in the explanation of the roles, but not available.
> > 
> Uh! That's very strange. I have no guess around what happened. Couple
> of 
> ideas to get us started:
> 
> 1. What drop down has no priv inspector? AdminUI -> Contents
> Management 
> -> setting an attribute? Or elsewhere?
Yes in AdminUI -> Contents Management -> setting an attribute. See
screenshot.
> 
> 2. Can you try to play with this a bit? E.g. can you set this
> attribute 
> for new (even test) user?
Same behaviour.
> 
> 3. Can you create a DB JSON dump and inspect what is in 
> sys:Authorizationrole attribute type? Having this may help.
It seems that it is lost in the database:

{
       "flags" : 1,
       "maxElements" : 10,
       "minElements" : 1,
       "selfModificable" : false,
       "uniqueValues" : true,
       "syntaxState" : {
         "allowed" : [ "Anonymous User", "Inspector", "Regular User", "Contents Manager", "System Manager" ]
       },
       "displayedName" : {
         "DefaultValue" : "sys:AuthorizationRole",
         "Map" : {
           "pl" : "Rola autoryzacyjna",
           "en" : "Authorization role"
         }
       },
       "i18nDescription" : {
         "DefaultValue" : null,
         "Map" : {
           "pl" : "Definiuje jakie operacje są dozwolone dla posiadacza. Wpływa na dostęp do grupy w której atrybut jest przydzielony oraz wszystkich podgrupach, gdzie może być nadpisany. Dostępne role:\n<b>System Manager</b> - Syst       em manager with all privileges.\n<b>Contents Manager</b> - Allows for performing all management operations related to groups, entities and attributes. Also allows for reading information about hidden attributes.\n<b>Privileged Insp       ector</b> - Allows for reading entities, groups and attributes, including the attributes visible locally only. No modifications are possible\n<b>Inspector</b> - Allows for reading entities, groups and attributes. No modifications a       re possible\n<b>Regular User</b> - Allows owners for reading of the basic system information, retrieval of information about themselves and also for changing passwords and self managed attributes\n<b>Anonymous User</b> - Allows for        minimal access to the system: owners can get basic system information and retrieve information about themselves\n",
           "en" : "Defines what operations are allowed for the bearer. The attribute of this type defines the access in the group where it is defined and in all subgroups. In subgroup it can be redefined to grant more access. Roles:       \n <b>System Manager</b> - System manager with all privileges.\n<b>Contents Manager</b> - Allows for performing all management operations related to groups, entities and attributes. Also allows for reading information about hidden        attributes.\n<b>Privileged Inspector</b> - Allows for reading entities, groups and attributes, including the attributes visible locally only. No modifications are possible\n<b>Inspector</b> - Allows for reading entities, groups and        attributes. No modifications are possible\n<b>Regular User</b> - Allows owners for reading of the basic system information, retrieval of information about themselves and also for changing passwords and self managed attributes\n<b>       Anonymous User</b> - Allows for minimal access to the system: owners can get basic system information and retrieve information about themselves\n"
         }
       },
       "metadata" : { },
       "name" : "sys:AuthorizationRole",
       "syntaxId" : "enumeration"
     },
> 
> 4. Can you set this attribute over REST API?
I did not test it because it was not in the database.

Because on other instances we have this role, do you know a database
query to create it?

Cheers,
Sander
> 
> Cheers,
> KB
> 
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------