Table of Contents

Authorization policies

An authorization policy determines which permissions a user in CzechIdM has.

A policy is assigned to a role and everyone with this role gains the permissions determined by the policy as well.

The default role "User" gives implicit permissions, which all the users in CzechIdM have. This role is not assigned explicitly, it is simply default and is always applied (see the following chapter).

A new agenda of authorization policies = permissions for data and agendas has been tied to a role. Assigning permissions makes available both agendas on the front-end (or rather REST endpoints on the back-end) and permissions for data (make records in these agendas available) to the logged in user. Permissions for agendas (REST endpoints) are assessed according to the set permissions.

The main idea is that if an agenda supports a permission for data, then we cannot see any data in the default state. To see some data we need to get / comply with a configured policy, which we get based on our assigned roles. Between policies is OR operator ⇒ we adding permissions for data.
How permissions for agendas and permissions for data work together:
  • To see some data, we need to have at least one role with a policy assigning the permissions.

Real life example:

Let there be an agenda of identities. To be able to select from the identity dial (e.g. in filters) we need to be assigned a permission for an agenda of autocomplete for identities Identity - AUTOCOMPLETE or Displaying in autocomplete, selections for instance with the evaluation type BasePermissionEvaluator.

Base interfaces and classes

By linking a group with a base permission we get an authority - for example ROLE_READ, IDENTITY_WRITE.
A Special group is APP, which is meant for the application administrators or for special permissions - the authority APP_ADMIN is created by linking a group with a base permission. The authority owns all the permissions in the application. Other permission is APPSKIPCAS_ADMIN you can use this permission to enable login directly via IdM even if login via CAS is enabled.
Policies are assigned to individual roles and thanks to that the logged in user also gets them (relation identity - IR - role - policy).
Configured authorization policy is persisted with selected AuthorizationEvaluator implementation class ⇒ when evaluator implementation is renamed or moved into different package, then authorization policy with modified evaluator has to be reconfigured too (or change script has to be provided).
When implementing getPermissions or getPredicate evaluator's method, don't forget to check identity is logged in securityService.isAuthenticated(), if evaluator cannot be used in public endpoints.
When implementing getPredicate evaluator's method, don't forget to check policy has evaluated permission assigned hasPermission(policy, permission).

Additional base permissions

For some entities was added additional base permissions, which extends BasePermission above.

Identity

Role

Identity role

Identity contract

Cache

Cache is used for evaluating authorization policies and permissions by AuthorizationManager:

Base authorization evaluators

AbstractAuthorizationEvaluator

Adds the default implementation of the AuthorizationEvaluator methods. It is used as a parent for the other evaluators.

AbstractTransitiveEvaluator

Serves as a parent for evaluating permissions according to the derived objects - for example, I have a permission for the assigned role if I have a permission for the identity, etc. See the children of this abstract class below (IdentityContractByIdentityEvaluator).

Parameters

BasePermissionEvaluator

Serves for assigning the configured permission for the configured domain type - for all the data of the given type. It can be used when we want to give an access to an agenda including the access to all data. It is used, for example, for an admin with the configuration - any type (permissions for all the Identifiable children) + BasePermission.ADMIN . It can also be used for assigning the base permission for displaying data during autocomplete (see BasePermission.AUTOCOMPLETE above).

BasePermissionEvaluator is also used for simple sharing of an agenda which does not support permissions for data yet. Agendas which do not support permissions for data yet are not linked to the domain object, which can be see on the front-end as well. No other evaluator can be selected for these agendas

UuidEvaluator

"Shares" the object with the given uuid. It is suitable when we are not able to configure another, more general rule - simply put - when somebody needs to see only one log from the whole agenda, it can be "shared" via the identifier (it would be nice not to enter the uuid directly in the configuration but to use autocomplete … coming soon).

CodeableEvaluator

"Shares" the object with the given identifier so that it is possible to enter uuid of the code of the given entity. For this evaluator, it is necessary to choose the entity type for which it is intended - does not work across entities.

SelfIdentityEvaluator

Gives currently logged user a permission to work with his own identity.

IdentityByFormProjectionEvaluator

@since 10.3.0

A permission for identities by user type.

Parameters

SubordinatesEvaluator

A permission for contracts which are my subordinates. Overloadable filters are used for evaluating subordinates or managers.

SubordinateContractEvaluator

@since 10.3.0

A permission for identities which are my subordinate contracts. Overloadable filters are used for evaluating subordinate contracts or contract managers.

IdentityContractByIdentityEvaluator

Gives a permission for industrial relations according to the permission for identity ⇒ e.g. if I have a permission to read an identity, I have a permission to read its IR. AbstractTransitiveEvaluator is used here.

Parameters

Prevent to combine with IdentityByContractEvaluator - configure one of them.

IdentityByContractEvaluator

@since 10.3.0

Gives a permission for identity according to the permission for identity contract ⇒ e.g. if I have a permission to read an contract, I have a permission to read its identity.

Prevent to combine with IdentityContractByIdentityEvaluator - configure one of them.

ContractGuaranteeByIdentityContractEvaluator

Gives a permission for guarantees of a industrial relation (setting a guarantee "directly") according to the permission for a industrial relation ⇒ e.g. If I have a permission to read IR, I have a permission to read its guarantees. AbstractTransitiveEvaluator is used here. If I have a permission to edit IR, I have a permission to edit (add or delete) its assigned guarantees.

IdentityRoleByIdentityEvaluator

Gives a permission for assigned roles according to the permission for the identity ⇒ e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. AbstractTransitiveEvaluator is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles.

IdentityRoleByContractEvaluator

@since 10.3.0

Gives a permission for assigned roles according to the permission for the contract ⇒ e.g. If I have a permission to read an contract, I have a permission to read its assigned roles. AbstractTransitiveEvaluator is used here. If I have a permission to edit the contract, I have a permission to edit (add or delete) its assigned roles. Logged identity can see / edit roles assigned to managed contracts only.

IdentityRoleByRoleEvaluator

@since 9.7.12

Gives a permission for assigned roles according to the permission for the role definition ⇒ e.g. If I have a permission to read an role, I have a permission to read its assigned roles. AbstractTransitiveEvaluator is used here. If I have a permission to edit the role, I have a permission to edit its assigned roles. It's usable mainly with can be requested permission - enables copying assigned roles from other identity.

Parameters

RoleGuaranteeEvaluator

Gives a permission to work with roles which I guarantee. Role guarantee can be configured by:

This evaluator solves both ways (or).

Evaluator can be used for UC, when role guarantee can assign his roles to users (@since 11.1.0). The authorization policies have to be set as follows:

AuthorizationPolicyByRoleEvaluator

Gives a permission for authorization policies according to the permission for a role ⇒ e.g. if I have a permission to read a role, I have permission the authorization policies assigned to it. If I have a permission to edit a role, I have a permission to edit (add or delete) authorization policies assigned to it.

RoleTreeNodeByRoleEvaluator

Gives a permission for automatic roles according to the permission for a role ⇒ e.g. if I have a permission to read a role, I have a permission to read the automatic roles assigned to it. if I have a permission to edit a role, I have a permission to edit (add or delete) the automatic roles assigned to it.

ConfigurationEvaluator

Gives a permission for application configuration (read, set…). If we want to get permissions for the secured configuration items, we need to set the parameter secured to true.

RoleCanBeRequestedEvaluator

Assigns permissions for a role according to the role attribute "canBeRequested". This means that if I have a role with this evaluator, I will get permissions only for those roles the attribute of which "canBeRequested" is set to true.

RoleAccountByRoleEvaluator

Gives a permission for accounts in system according to the permission for the role ⇒ e.g. If I have a permission to read a role, I have a permission to read its accounts in system. AbstractTransitiveEvaluator is used here.

RoleCatalogueAccountByRoleCatalogueEvaluator

Gives a permission for accounts in system according to the permission for the role catalogue ⇒ e.g. If I have a permission to read a role catalogue, I have a permission to read its accounts in system. AbstractTransitiveEvaluator is used here.

SelfRoleRequestEvaluator

Gives currently logged user a permission to work with his own role requests. This functionality can be configured another way - by combination RoleRequestByIdentityEvaluator and SelfIdentityEvaluator with adding permission CHANGEPERMISSION. CHANGEPERMISSION on identity gives permissions READ, CREATE, UPDATE, DELETE to identity's role requests automatically.

RoleRequestByIdentityEvaluator

Gives a permission for role requests according to the permission for the identity ⇒ e.g. If I have a permission to read a identity, I have a permission to read its role requests. CHANGEPERMISSION on identity is wildcard here - it gives permissions READ, CREATE, UPDATE, DELETE to identity's role requests. AbstractTransitiveEvaluator is used here.

RoleRequestByWfInvolvedIdentityEvaluator

Gives a permission to work with role requests which I has to approve. All involved identities (approver, applicant, implementer …) will have this permission. This policy is needed for workflow approval, where approver doesn't have a permission to read applicant. Approver will be applicant's manager (guarantee) in more cases, but even some "stranger" can have approval task assigned.

TreeAccountByRoleEvaluator

Gives a permission for accounts in tree node according to the permission for the role ⇒ e.g. If I have a permission to read a role, I have a permission to read its accounts in tree node. AbstractTransitiveEvaluator is used here.

FormAttributteByDefinitionEvaluator

Gives a permission for form attributes according to the permission for the form definition ⇒ e.g. If I have a permission to read a form definition, I have a permission to read its attributes. AbstractTransitiveEvaluator is used here.

FormAttributteByCodeListEvaluator

@since 9.4.0

Gives a permission for form attributes according to the permission for the code list ⇒ e.g. If I have a permission to read a code list, I have a permission to read its attributes.

CodeListItemByCodeListEvaluator

@since 9.4.0

Gives a permission for code list items according to the permission for the code list ⇒ e.g. If I have a permission to read a code list, I have a permission to read its items.

CodeListItemByCodeEvaluator

@since 10.3.0

Gives a permission for code list items according to the permission for the code list and item codes.

Parameters

VsRequestByImplementerEvaluator

For show requests only for assigned implementers. With this evaluator can user show and edit only requests where is implementer (directly or from roles).

ReadAccountByIdentityEvaluator

This evaluator assignes only READ permission.

For show accounts only for identities witch have relation (via identity-account entity) on the accounts. With this evaluator can user show accounts where is owner.

IdentityAccountByAccountEvaluator

For show identity-accounts only for identities witch have permissions on the accounts. With this evaluator can user show and edit only identity-accounts where is owner for the accounts.

ReportByReportTypeEvaluator

@since 12.2.0 Gives currently logged identity permission to work with a specified report. The report is specified by executor name (e. g., 'identity-report'). Only one report can be used; if you need to give access to multiple reports, create the permission multiple times. This evaluator limits which report executors are returned as available by ReportManager. For generated reports, the user is able to see EVERY report of the type which was created. To download a report, a simple READ permission is not enough, a CREATE or ADMIN permission is needed.

SelfReportEvaluator

Gives currently logged identity a permission to work with his own reports ⇒ logged identity is report creator.

IdentityFormValueEvaluator

@since 8.2.0

Since version 8.2.0, it is possible to define permissions not only for identity as a whole, but also for individual attributes. This means that it is now possible for one user to view (or edit) all his attributes, and only one attribute for the other.
The permissions control for a particular attribute is now only available for extended attributes (EAV).

Permissions to identity form attribute values. By definition (main if not specified) and attrinute codes (all if not specified).

Evaluating authorization policies for identity extended form attributes has to be enabled by configuration. Configure permissions for form definitions together with this evaluator - FORMDEFINITION_AUTOCOMPLETE is needed for read / update form values in this definition.

Parameters

IdentityContractFormValueEvaluator

@since 10.2.0

Since version 10.2.0, it is possible to define permissions not only for contract as a whole, but also for individual attributes. This means that it is now possible for one user to view (or edit) all his attributes, and only one attribute for the other.
The permissions control for a particular attribute is now only available for extended attributes (EAV).

Permissions to contract form attribute values. By definition (main if not specified) and attrinute codes (all if not specified). Configure permissions for form definitions together with this evaluator - FORMDEFINITION_AUTOCOMPLETE is needed for read / update form values in this definition.

Parameters

RoleCatalogueRoleByRoleEvaluator

@since 9.0.0

Permissions to assigned role catalogue relations by role. If i have permission to role, i have permission to role catalogue relations.

RoleCompositionBySubRoleEvaluator

@since 9.0.0

Permissions to business roles by sub role. If i have permission to role, i have permission to business roles (compositions) with this role defined in sub role relation.

RoleCompositionBySuperiorRoleEvaluator

@since 9.0.0

Permissions to business roles by superior role. If i have permission to role, i have permission to business roles (compositions) with this role defined in superior role relation.

RoleGuaranteeByRoleEvaluator

@since 9.0.0

Permissions to assigned guarantees (by identity) by role.

RoleFormAttributeByRoleEvaluator

@since 9.4.0

Permissions to role attributes (subdefinition) by role.

RoleGuaranteeRoleByRoleEvaluator

@since 9.0.0

Permissions to assigned guarantees (by role) by role.

ContractPositionByIdentityContractEvaluator

@since 9.1.0

Permissions to assigned other contract positions by identity contract. If i have permission to identity contract, i have permission to other contract positions.

SelfProfileEvaluator

@since 9.2.0

Gives currently logged user a permission to work with his own profile.

ProfileByIdentityEvaluator

@since 9.2.0

Permissions to profiles by identity. If i have permission to identity, i have permission to their profile.

Parameters

SelfIdentityRoleEvaluator

@since 9.3.0

Permissions to identity roles. User can manipulate with his own roles. With basic settings for user you dont need this, beacause exist evaluator IdentityRoleByIdentityEvaluator and every identity can read all roles for identities that can read.

SelfContractEvaluator

@since 10.4.0

Permissions to contracts. User can manipulate with his own contracts.

Universal request agenda (IdmRequest - evaluators)

Universal request agenda

RoleByRoleCatalogueEvaluator

@since 10.3.0 for LTS version is available similar evaluator in extras module.

Documentation for the evaluator is available there.

IdentityByTreeNodeEvaluator

@since 10.3.0 for LTS version is available similar evaluator in extras module.

Documentation for the evaluator is available there.

Default policies

The configuration of default permissions for agendas and data for all logged in users is carried out through the default role according to the application configuration. The default role can have, similarly to other roles, configured permissions for agendas and data. After logging in, these permissions will be filled in the context of the logged-in user (authorities and authorization policies) - the role itself does not figure in the assigned roles of the user. The default role can be used mainly for adding base permissions for the autocomplete (of roles, identities) and the like.

The business roles are supported with the default role ⇒ the user will get all authorization policies from default and all sub roles.

Examples of configuration

Default settings of permissions for an identity profile

This is a typical setting for the userRole - regular user as defined in the installation package.

If we want to read an identity profile including its assigned roles and IR, to enable password change and to request roles, it is possible to set the default role authorization policies as follows:

From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity UPDATE. But exits own permissions for each operation (MANUALLYDISABLE or MANUALLYENABLE)
From version 9.7.12 it's required CANBEREQUESTED permission for copying roles into request by other identity.

Manager and subordinates

If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only:

With this setting manager will see even other contracts, which not manages (⇒ all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0. </note>

Default settings of permissions for delegations

Default settings of permissions for delegations are defined in the role 'Delegation (delegationRole)'.

You can see a detailed configuration of evaluators with comments here: InitDelegationRoleProcessor

Settings of permissions for the Helpdesk role

The Helpdesk role as defined in the installation package should have following additional permissions:

Settings of permissions for virtual system implementer

The virtual system implementer (~approver) role should have following additional permissions:

Default settings of permissions for a role detail

If we want to read and edit roles where we are a guarantee, including the assigned permissions, automatic roles and accounts on target system, the authorization policies can be set as follows:

Default settings of permissions for a code list admin

If wee want to configure application code list, the authorization policies can be set as follows:

Settings of permissions of identity basic attributes

If we want to enable for currently logged identity change all basic identity attributes (e.g. login, first name, surname), the authorization policies can be set as follows:

Can be combined with subordinates evaluator to enable update attributes for managers only. When identity is created, then CREATE permission is needed only - additional permissions are evaluated for UPDATE identity only.
This configuration is required from version 10.3.0 for update basic identity attributes.

Settings of permissions of identity form (extended) attribute values

If we want to enable for currently logged identity read / update for some form attributes (e.g phone) from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows:

Settings of permissions of contract form (extended) attribute values

If we want to enable for currently logged identity read / update for some contract form attributes (e.g. other manager) from some form definition (e.g. from main definition) on contract detail (tab more information), the authorization policies have to be be set as follows:

Settings which enable skipping of the role approvement

Assignment of roles is normally approved by the standard approval process. The approval process may be skipped by executing the bulk action for Role assignment with unchecked Approve, but only if the user has the following permission:

Employing policies for a new domain type - entity

To employ permissions for data for a new domain type it is necessary:

/**
 * Adds permission for creating a new role only
 *
 */
@Component
@Description("Adds permission for create new role")
public class RoleWriteNewOnlyEvaluator extends AbstractAuthorizationEvaluator<IdmRole> {
 
    @Override
    public Set<String> getPermissions(AuthorizationPolicy policy, IdmRole entity) {
        Set<String> permissions = super.getPermissions(policy, entity);
        permissions.add(IdmBasePermission.CREATE.getName());
        return permissions;
    }
}