===== Security =====
Implemented autorization evaluators:
**RecertificationRequestByRecertificationActionEvaluator** - Permissions to recertification request by action.
**RecertificationItemByRecertificationRequestEvaluator** - Permissions to items by recertification request.
**RecertificationRequestByApproverEvaluator** - Permissions to recertification request by approver.
==== Example of security setting ====
=== Person - security ===
Person can create recertification action and requests - see bulk actions and both agendas. Cannot execute created requests.
Set the role authorization policies as follows:
* Users (IdmIdentity)| Read | BasePermissionEvaluator
* Roles (IdmRole)| Read | BasePermissionEvaluator
* Role recertification - actions (RecRecertificationAction) | Create, Read, View in select box (autocomplete) | BasePermissionEvaluator
* Role recertification - requests (RecRecertificationRequest) | - | RecertificationRequestByRecertificationActionEvaluator
* Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator
//* ''DELETE'' permission can be added to action to enable removing created action and requests (e.g. security can remove blocked or old records). //
=== Person - approver ===
Person can see and approve recertification requests, where is in available approvers. Cannot see and create recertification actions.
Set the role authorization policies as follows:
* Users (IdmIdentity)| Read | BasePermissionEvaluator
* Roles (IdmRole)| Read | BasePermissionEvaluator
* Role recertification - requests (RecRecertificationRequest) | Execute, Read, Update | RecertificationRequestByApproverEvaluator
* Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator
When you want to disable possibility to remove assigned roles by approver (just approve), then don't add ''UPDATE'' persmission to recertification request (item is secured transitivelly by request).
All roles and identities have ''READ'' permission. Replace this permissions with your project specific setting (e.g. just subordinates can be shown, only some roles)
[[..:..:..:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|Default user role]] setting is expected.