The application still reports an error: "Groovy script did not pass safety check!" even though the script has permissions

It is possible that you are returning this class to another script. Check your application's log if the bug really comes from the script. Check the return statement or revise the script permissions again.

An example of a specific use-case:

A script looks like this:

    import eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto;
    import eu.bcvsolutions.idm.acc.exception.SynchronizationException;
    import eu.bcvsolutions.idm.core.api.dto.filter.IdmIdentityFilter;
    import java.util.Collections$UnmodifiableRandomAccessList;

    IdmIdentityFilter filter = new IdmIdentityFilter();
    filter.setExternalCode(attributeValue);
    
    List identities = new ArrayList();
    identities = identityService.find(filter, null).getContent();
    if (!identities.isEmpty()) {
        return identities.get(0); // this is the mistake, it returns IdmIdentityDto but should return ID
    }
    
    return null;

The error in log shows this:

2019-06-12T13:04:43.520+02:00: eu.bcvsolutions.idm.core.security.exception.IdmSecurityException: Script did not pass security inspection!
	at eu.bcvsolutions.idm.core.model.service.impl.DefaultGroovyScriptService.evaluate(DefaultGroovyScriptService.java:87)
	at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService.transformValueFromResource(DefaultSysSystemAttributeMappingService.java:238)
	at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService.transformValueFromResource(DefaultSysSystemAttributeMappingService.java:218)
	at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService.getValueByMappedAttribute(DefaultSysSystemAttributeMappingService.java:635)
	at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService.getUidValueFromResource(DefaultSysSystemAttributeMappingService.java:642)
	at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService$$FastClassBySpringCGLIB$$507e7707.invoke(<generated>)
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:651)
	at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService$$EnhancerBySpringCGLIB$$29f4e3f1.getUidValueFromResource(<generated>)
	at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.generateUID(AbstractSynchronizationExecutor.java:1800)
	at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.findAccount(AbstractSynchronizationExecutor.java:1763)
	at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.doItemSynchronization(AbstractSynchronizationExecutor.java:339)
	at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService.doItemSynchronization(DefaultSynchronizationService.java:219)
	at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService$$FastClassBySpringCGLIB$$66d7ee75.invoke(<generated>)
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:720)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
	at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
	at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281)
	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:655)
	at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService$$EnhancerBySpringCGLIB$$65f85efb.doItemSynchronization(<generated>)
	at eu.bcvsolutions.idm.acc.event.processor.synchronization.SynchronizationItemProcessor.process(SynchronizationItemProcessor.java:52)
	at eu.bcvsolutions.idm.core.api.event.AbstractEntityEventProcessor.onApplicationEvent(AbstractEntityEventProcessor.java:243)
	at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:166)
	at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:138)
	at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:381)
	at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:348)
	at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager.process(DefaultEntityEventManager.java:245)
	at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager.process(DefaultEntityEventManager.java:175)
	at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager$$FastClassBySpringCGLIB$$1694e58f.invoke(<generated>)
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:720)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
	at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
	at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281)
	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:655)
	at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager$$EnhancerBySpringCGLIB$$394d8489.process(<generated>)
	at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.startItemSynchronization(AbstractSynchronizationExecutor.java:569)
	at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.handleIcObject(AbstractSynchronizationExecutor.java:521)
	at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor$DefaultResultHandler.handle(AbstractSynchronizationExecutor.java:2266)
	at eu.bcvsolutions.idm.ic.connid.service.impl.ConnIdIcConnectorService$2.handle(ConnIdIcConnectorService.java:250)
	at org.identityconnectors.framework.impl.api.StreamHandlerUtil$ObjectStreamHandlerAdapter.handle(StreamHandlerUtil.java:101)
	at org.identityconnectors.framework.impl.api.BufferedResultsProxy.invoke(BufferedResultsProxy.java:262)
	at org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:94)
	at com.sun.proxy.$Proxy359.search(Unknown Source)
	at org.identityconnectors.framework.impl.api.AbstractConnectorFacade.search(AbstractConnectorFacade.java:179)
	at eu.bcvsolutions.idm.ic.connid.service.impl.ConnIdIcConnectorService.pageSearch(ConnIdIcConnectorService.java:272)
	at eu.bcvsolutions.idm.ic.connid.service.impl.ConnIdIcConnectorService.search(ConnIdIcConnectorService.java:267)
	at eu.bcvsolutions.idm.ic.service.impl.DefaultIcConnectorFacade.search(DefaultIcConnectorFacade.java:114)
	at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.process(AbstractSynchronizationExecutor.java:256)
	at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService.startSynchronization(DefaultSynchronizationService.java:190)
	at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService$$FastClassBySpringCGLIB$$66d7ee75.invoke(<generated>)
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:651)
	at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService$$EnhancerBySpringCGLIB$$65f85efb.startSynchronization(<generated>)
	at eu.bcvsolutions.idm.acc.scheduler.task.impl.SynchronizationSchedulableTaskExecutor.process(SynchronizationSchedulableTaskExecutor.java:65)
	at eu.bcvsolutions.idm.acc.scheduler.task.impl.SynchronizationSchedulableTaskExecutor.process(SynchronizationSchedulableTaskExecutor.java:28)
	at eu.bcvsolutions.idm.core.scheduler.api.service.AbstractLongRunningTaskExecutor.call(AbstractLongRunningTaskExecutor.java:189)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at org.springframework.security.concurrent.DelegatingSecurityContextRunnable.run(DelegatingSecurityContextRunnable.java:80)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.SecurityException: Script wants to use unauthorized class: [class eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto] 
	at eu.bcvsolutions.idm.core.security.domain.GroovySandboxFilter.filter(GroovySandboxFilter.java:123)
	at org.kohsuke.groovy.sandbox.GroovyValueFilter.filterReturnValue(GroovyValueFilter.java:26)
	at org.kohsuke.groovy.sandbox.GroovyValueFilter.onMethodCall(GroovyValueFilter.java:58)
	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:148)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:145)
	at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
	at Script1.run(Script1.groovy:12)
	at eu.bcvsolutions.idm.core.model.service.impl.DefaultGroovyScriptService.evaluate(DefaultGroovyScriptService.java:79)
	... 66 more

And that's even though the script has permissions for the class eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto. The problem is that this script return an object from this class eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto which it is not supposed to do.

To fix this, change the return statement.