===== Security =====

Implemented autorization evaluators:

**RecertificationRequestByRecertificationActionEvaluator**

Permissions to recertification request by action.

**RecertificationItemByRecertificationRequestEvaluator**

Permissions to items by recertification request.

**RecertificationRequestByApproverEvaluator**

Permissions to recertification request by approver. This evaluator is used to determine approvers to the recertification request. Approver is either:

  * Manager of user
      * It uses subordinatesFor filter, which means, that there is a way to tweak this behavior by selecting the desired filter implementation in Settings -> Modules -> Filters
      * By default, the DefaultContractByManagerFilter is active. This filter takes in consideration both direct role guarantees and tree node guarantees
      * If you, for example, wish to only approve recertification requests by direct guarantees, then activate ContractByGuaranteeFilter, which does exactly that
  * Authorizers of the recertified role
      * Both authorizers by role and authorizer identities are included

==== Example of security setting ====

=== Person - security ===

Person can create recertification action and requests - see bulk actions and both agendas. Cannot execute created requests.

Set the role authorization policies as follows:

  * Users (IdmIdentity)| Read | BasePermissionEvaluator
  * Roles (IdmRole)| Read | BasePermissionEvaluator
  * Role recertification - actions (RecRecertificationAction) | Create, Read, View in select box (autocomplete) | BasePermissionEvaluator
  * Role recertification - requests (RecRecertificationRequest) | - | RecertificationRequestByRecertificationActionEvaluator
  * Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator

//* ''DELETE''  permission can be added to action to enable removing created action and requests (e.g. security can remove blocked or old records). //

=== Person - approver ===

Person can see and approve recertification requests, where is in available approvers. Cannot see and create recertification actions.

Set the role authorization policies as follows:

  * Users (IdmIdentity)| Read | BasePermissionEvaluator
  * Roles (IdmRole)| Read | BasePermissionEvaluator
  * Role recertification - requests (RecRecertificationRequest) | Execute, Read, Update | RecertificationRequestByApproverEvaluator
  * Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator

<note tip>When you want to disable possibility to remove assigned roles by approver (just approve), then don't add ''UPDATE''  persmission to recertification request (item is secured transitivelly by request).</note>

<note tip>All roles and identities have ''READ''  permission. Replace this permissions with your project specific setting (e.g. just subordinates can be shown, only some roles)</note>

<note tip>[[..:..:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|Default user role]] setting is expected.</note>