Report Security

Reports often use expressions. Expressions allow to customize midPoint behavior, and they are essential for the success of midPoint deployments. However, the expressions are very powerful, and they may even be too powerful for some use cases.

The expressions can use general-purpose scripting languages such as Groovy or JavaScript. Therefore, such expressions have almost unlimited capabilities. Which means that the expressions can damage the system or compromise security of the system.

Currently, there are very little restraints for expression execution. The expression functions provided by midPoint usually check for proper authorizations. But as the expressions can use general-purpose languages, there is no obligation for the expressions to use those libraries. The expression can easily circumvent those weak protections. Therefore, do not let any unauthorized user to set up any kind of expression in midPoint. Allowing the right to edit any expression may lead to compromise of system security.

Some expression security can be achieved by using expression profiles. Expression profiles can be used to limit the capabilities of report expressions, e.g. to limit them to safe operations that just manipulate strings and basic data structures.

See Security Guide for more detail regarding security-related functionality of midPoint.