Agenda of universal requests
What is a universal request?
The universal request agenda allows you to create a request for any (supported) object in IDM. One advantage in comparison with the previous agendas for dealing with requests is its versatility, as there is no need to create a separate agenda for each additional approved object (such as the agenda for automatic roles requests and the agenda of requests for changing permissions).
How a universal request works
From a user’s perspective, if the approval mode is enabled, it is not possible to edit the object on a standard URL. This means that even if a user has the right to edit, the object will be read-only (details will be read only, edit buttons will not be available, bulk operations will not be available). An object can only be edited after you have moved to a specific request URL.
Example of a URL role and the same edit role within the request:
* /role/{role ID}/detail * /requests/{request ID}/role/{role ID}/detail
Creation of a request
You first need to create a request in order to be able to visit the above mentioned URLs. Once you already have a request, you can start making individual changes.
Permissions
The basic rule of how permissions are controlled when a request is being created: To execute an operation in a request, you need the same level of permission as you would need to execute the same operation if the request mode were turned off.
This means that a user must have, as a minimum, the same level of permissions to create a new role request as if they wanted to create a role outside of the request mode. The same applies to other operations, such as editing or deleting (roles within a request). The same set of rights is needed as when the request mode is turned off.
Example of permissions that are needed to create a new role by request:
- Requests (universal) (IdmRequest) - Gets rights to all requests created by a logged-in user.
- Evaluator: RequestByCreatorEvaluator
- Permissions: Create, Execute, Read, Delete, Update, Autocomplete, (Admin permissions allow you to execute a request without approval!)
- Requests (universal) (IdmRequest) - Currently logged-in user can work with requests, when the identity is involved in approving.
- Evaluator: RequestByWfInvolvedIdentityEvaluator
- Permissions: Create, Execute, Read, Delete, Update, Autocomplete, (Admin permissions allow you to execute a request without approval!)
- Requests (universal) (IdmRequest) - Returns requests by rights on the request's owner (target object). Only supports IdmRole as owner now!
- Evaluator: RequestByOwnerEvaluator
- Requests - items (universal) (IdmRequestItem) - Gets rights to universal request items by right on requests
- Evaluator: RequestItemByRequestEvaluator
- Roles (IdmRole) - Gets rights to all roles. Grants only IdmRole object, for additional objects (business roles, permissions, systems) you have to add next permissions.
- Evaluator: BasePermissionEvaluator
* Permissions: Create, Execute, Read, Delete, Update, Autocomplete