Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | |||
|
devel:documentation:roles [2019/05/02 05:13] kopro [Admin tutorials] add codeable evaluator |
devel:documentation:roles [2019/08/14 14:15] (current) doischert |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| ====== Roles ====== | ====== Roles ====== | ||
| - | A role in CzechIdM is an entity representing a set (1 or many) of privileges on the end system or in CzechIdM itself [[.roles:adm:authorization|(permission)]]. From the perspective of the identity manager, it does not matter whether the user acquires an account in a specific application, is placed in a group in LDAP, his indication is set to “can use VPN”, or permission is set for him in the application. In all the cases, a role is assigned. A simplification carried out like this allows general rules to be applied for assigning all types of permissions (~roles) in the same way. | + | A role in CzechIdM is an entity representing a set (1 or more) of permissions on the end system or in CzechIdM itself [[.roles:adm:authorization|(permission)]]. From the perspective of the identity manager, it does not matter whether the user acquires an account in a specific application, is placed in a group in LDAP, his indication is set to “can use VPN”, or permission is set for him in the application. In all these cases, a role is assigned. A simplification carried out like this allows general rules to be applied for assigning all types of permissions (~roles) in the same way. |
| Users acquire roles: | Users acquire roles: | ||
| Line 16: | Line 16: | ||
| === Business roles === | === Business roles === | ||
| - | Roes can be aggregated into [[.roles:adm:business_roles|business roles]]. Provided role A is a subrole of role B, If role B is assigned (no matter how - automatically or manually) to the user, he acquires also role A. | + | Roles can be aggregated into [[.roles:adm:business_roles|business roles]]. Provided role A is a subrole of role B, if role B is assigned (no matter how - automatically or manually) to the user, he or she acquires role A as well. |
| === Incompatible roles (segregation of duties) === | === Incompatible roles (segregation of duties) === | ||
| Line 29: | Line 29: | ||
| ==== By org. structure ==== | ==== By org. structure ==== | ||
| - | The role can be linked to a Tree structure (e.g. position in organizational structure). That role is assigned to and removed from a user based on adding/removing the user (via their contract or other contract position) to/from the organizational tree structure. If a contract is not valid yet, roles are assigned but are disabled until the contract starts. | + | The role can be linked to a Tree structure (e.g. a position in organizational structure). That role is assigned to and removed from a user based on adding/removing the user (via their contract or other contract position) to/from the organizational tree structure. If a contract is not valid yet, roles are assigned but are disabled until the contract starts. |
| {{ :devel:documentation:automatic_roles.png?600 |}} | {{ :devel:documentation:automatic_roles.png?600 |}} | ||
| ==== By identity attributes ==== | ==== By identity attributes ==== | ||
| - | The role can be also linked with value in attribute (value can be stored in Identity, Identity extended attribute, Contract and Contract extended attribute). That role is assigned to and removed from a user based on the value in the specific attribute. Recalculating of this automatic roles is done after saving identity, identity extended attribute attributes, contract, and contract extended attribute attributes. All necessary attributes that defined automatic role by attribute are defined by agenda "Automatic role by attribute". | + | The role can be linked by value in attribute (value can be stored in Identity, Identity extended attribute, Contract and Contract extended attribute). That role is assigned to and removed from a user based on the value in the specific attribute. Recalculating of this automatic roles is done after saving the identity, identity extended attribute attributes, contract, and contract extended attribute attributes. All necessary attributes that define automatic role by attribute are defined by the agenda "Automatic role by attribute". |
| {{ :devel:documentation:automatic_role_by_attribute.png?600 |}} | {{ :devel:documentation:automatic_role_by_attribute.png?600 |}} | ||
| Line 46: | Line 46: | ||
| * [[.roles:adm:authorization|Permissions Setting Mechanism]] | * [[.roles:adm:authorization|Permissions Setting Mechanism]] | ||
| * [[.roles:adm:automatic_roles|Automatic roles overview]] | * [[.roles:adm:automatic_roles|Automatic roles overview]] | ||
| - | * [[.roles:adm:incompatible_roles|incompatible roles]] | + | * [[.roles:adm:incompatible_roles|Incompatible roles]] |
| * [[.roles:adm:duplicit_roles|Assigned roles deduplication]] | * [[.roles:adm:duplicit_roles|Assigned roles deduplication]] | ||
| Line 55: | Line 55: | ||
| * [[tutorial:adm:automatic_roles_by_attribute|Creating an automatically assigned role by identity attribute]] | * [[tutorial:adm:automatic_roles_by_attribute|Creating an automatically assigned role by identity attribute]] | ||
| * [[tutorial:adm:copying|Copying assigned roles from one user to another]] | * [[tutorial:adm:copying|Copying assigned roles from one user to another]] | ||
| - | * [[tutorial:adm:codeable_permission|Create codeable evaluator]] | + | * [[tutorial:adm:codeable_permission|Create a codeable evaluator]] |
| ===== Devel guide ===== | ===== Devel guide ===== | ||