Security
Implemented autorization evaluators:
RecertificationRequestByRecertificationActionEvaluator
Permissions to recertification request by action.
RecertificationItemByRecertificationRequestEvaluator
Permissions to items by recertification request.
RecertificationRequestByApproverEvaluator
Permissions to recertification request by approver. This evaluator is used to determine approvers to the recertification request. Approver is either:
- Manager of user
- It uses subordinatesFor filter, which means, that there is a way to tweak this behavior by selecting the desired filter implementation in Settings → Modules → Filters
- By default, the DefaultContractByManagerFilter is active. This filter takes in consideration both direct role guarantees and tree node guarantees
- If you, for example, wish to only approve recertification requests by direct guarantees, then activate ContractByGuaranteeFilter, which does exactly that
- Authorizers of the recertified role
- Both authorizers by role and authorizer identities are included
Example of security setting
Person - security
Person can create recertification action and requests - see bulk actions and both agendas. Cannot execute created requests.
Set the role authorization policies as follows:
- Users (IdmIdentity)| Read | BasePermissionEvaluator
- Roles (IdmRole)| Read | BasePermissionEvaluator
- Role recertification - actions (RecRecertificationAction) | Create, Read, View in select box (autocomplete) | BasePermissionEvaluator
- Role recertification - requests (RecRecertificationRequest) | - | RecertificationRequestByRecertificationActionEvaluator
- Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator
* DELETE
permission can be added to action to enable removing created action and requests (e.g. security can remove blocked or old records).
Person - approver
Person can see and approve recertification requests, where is in available approvers. Cannot see and create recertification actions.
Set the role authorization policies as follows:
- Users (IdmIdentity)| Read | BasePermissionEvaluator
- Roles (IdmRole)| Read | BasePermissionEvaluator
- Role recertification - requests (RecRecertificationRequest) | Execute, Read, Update | RecertificationRequestByApproverEvaluator
- Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator
UPDATE
persmission to recertification request (item is secured transitivelly by request).
READ
permission. Replace this permissions with your project specific setting (e.g. just subordinates can be shown, only some roles)