====== Agenda of universal requests ====== {{tag>universal request}} ===== What is a universal request? ===== The universal request agenda allows you to create a request for any (supported) object in IDM. One advantage in comparison with the previous agendas for dealing with requests is its versatility, as there is no need to create a separate agenda for each additional approved object (such as the agenda for automatic roles requests and the agenda of requests for changing permissions). ===== How a universal request works ===== From a user’s perspective, if the approval mode is enabled, it is not possible to edit the object on a standard URL. This means that even if a user has the right to edit, the object will be **read-only** (details will be read only, edit buttons will not be available, bulk operations will not be available). **An object can only be edited after you have moved to a specific request URL**. **One of the main objectives of universal applications was to achieve the reuse of UI components**. This means that if a user creates a request (which goes to a completely different URL), he should not visually see "no" change. He should feel that by simply creating a request, the form just switched to editing mode. Example of a URL role and the same edit role within the request: * **/role/**{role ID}**/detail** * **/requests/**{request ID}**/role/**{role ID}**/detail** ===== Creation of a request ===== **You first need to create a request** in order to be able to visit the above mentioned URLs. Once you already have a request, you can start making individual **changes**. {{ :devel:documentation:roles:dev:role_readonly.png?600 |}} ===== Permissions ===== **The basic rule** of how permissions are controlled when a request is being created: To execute an operation in a request, you need the **same level of permission** as you would need to execute the same operation if the request mode were turned off. This means that a user must have, as a minimum, **the same level of permissions to create a new role** request as if they wanted to create a role outside of the request mode. The same applies to other operations, such as editing or deleting (roles within a request). The same set of rights is needed as when the request mode is turned off. {{ :devel:documentation:roles:dev:screenshot-localhost-3000-2018.10.10-14-05-13.png?600 | }} **Example of permissions that are needed to create a new role by request**: * **Requests (universal) (IdmRequest)** - Gets rights to all requests created by a logged-in user. * Evaluator: RequestByCreatorEvaluator * Permissions: Create, Execute, Read, Delete, Update, Autocomplete, (**Admin permissions allow you to execute a request without approval!**) * **Requests (universal) (IdmRequest)** - Currently logged-in user can work with requests, when the identity is involved in approving. * Evaluator: RequestByWfInvolvedIdentityEvaluator * Permissions: Create, Execute, Read, Delete, Update, Autocomplete, (**Admin permissions allow you to execute a request without approval!**) * **Requests (universal) (IdmRequest)** - Returns requests by rights on the request's owner (target object). Only supports IdmRole as owner now! * Evaluator: RequestByOwnerEvaluator * **Requests - items (universal) (IdmRequestItem)** - Gets rights to universal request items by right on requests * Evaluator: RequestItemByRequestEvaluator * **Roles (IdmRole)** - Gets rights to all roles. Grants only IdmRole object, for additional objects (business roles, permissions, systems) you have to add next permissions. * Evaluator: BasePermissionEvaluator * Permissions: Create, Execute, Read, Delete, Update, Autocomplete