Implemented autorization evaluators:

RecertificationRequestByRecertificationActionEvaluator

Permissions to recertification request by action.

RecertificationItemByRecertificationRequestEvaluator

Permissions to items by recertification request.

RecertificationRequestByApproverEvaluator

Permissions to recertification request by approver. This evaluator is used to determine approvers to the recertification request. Approver is either:

  • Manager of user
    • It uses subordinatesFor filter, which means, that there is a way to tweak this behavior by selecting the desired filter implementation in Settings → Modules → Filters
    • By default, the DefaultContractByManagerFilter is active. This filter takes in consideration both direct role guarantees and tree node guarantees
    • If you, for example, wish to only approve recertification requests by direct guarantees, then activate ContractByGuaranteeFilter, which does exactly that
  • Authorizers of the recertified role
    • Both authorizers by role and authorizer identities are included

Person - security

Person can create recertification action and requests - see bulk actions and both agendas. Cannot execute created requests.

Set the role authorization policies as follows:

  • Users (IdmIdentity)| Read | BasePermissionEvaluator
  • Roles (IdmRole)| Read | BasePermissionEvaluator
  • Role recertification - actions (RecRecertificationAction) | Create, Read, View in select box (autocomplete) | BasePermissionEvaluator
  • Role recertification - requests (RecRecertificationRequest) | - | RecertificationRequestByRecertificationActionEvaluator
  • Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator

* DELETE permission can be added to action to enable removing created action and requests (e.g. security can remove blocked or old records).

Person - approver

Person can see and approve recertification requests, where is in available approvers. Cannot see and create recertification actions.

Set the role authorization policies as follows:

  • Users (IdmIdentity)| Read | BasePermissionEvaluator
  • Roles (IdmRole)| Read | BasePermissionEvaluator
  • Role recertification - requests (RecRecertificationRequest) | Execute, Read, Update | RecertificationRequestByApproverEvaluator
  • Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator
When you want to disable possibility to remove assigned roles by approver (just approve), then don't add UPDATE persmission to recertification request (item is secured transitivelly by request).
All roles and identities have READ permission. Replace this permissions with your project specific setting (e.g. just subordinates can be shown, only some roles)
Default user role setting is expected.
  • by sourek