Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:security:dev:authorization [2018/08/22 06:39] tomiskar [RoleGuaranteeEvaluator] |
devel:documentation:security:dev:authorization [2021/06/11 06:46] 127.0.0.1 external edit |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ===== Authorization policies ===== | ||
+ | {{tag> security authorization role policy default user role permissions }} | ||
+ | |||
+ | An authorization policy determines which permissions a user in CzechIdM has. | ||
+ | |||
+ | A policy is assigned to a role and everyone with this role gains the permissions determined by the policy as well. | ||
+ | * assigning permissions in CzechIdM via ordinary roles enables managing permissions for CzechIdM by a standard mechanism | ||
+ | |||
+ | The default role " | ||
+ | |||
+ | A new agenda of **authorization policies = permissions for data and agendas** has been tied to a role. Assigning permissions makes available both agendas on the front-end (or rather REST endpoints on the back-end) and permissions for data (make records in these agendas available) to the logged in user. Permissions for agendas (REST endpoints) are assessed according to the set permissions. | ||
+ | |||
+ | <note info>The main idea is that **if an agenda supports a permission for data**, then we cannot see any data in the default state. To see some data we **need** to get / **comply with** a configured **policy**, which we get **based on our assigned roles**. Between policies is **OR** operator => we adding permissions for data.</ | ||
+ | |||
+ | <note important> | ||
+ | **How permissions for agendas and permissions for data work together**: | ||
+ | * To see some data, we need to have at least one role with a policy assigning the permissions. | ||
+ | |||
+ | **Real life example**: | ||
+ | |||
+ | Let there be an agenda of identities. **To be able to select from the identity dial** (e.g. in filters) **we need to be assigned a permission for an agenda of autocomplete for identities** '' | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Base interfaces and classes ===== | ||
+ | |||
+ | |||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | < | ||
+ | * '' | ||
+ | <note important> | ||
+ | * '' | ||
+ | * **'' | ||
+ | * **'' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * loads all the active policies according to the assigned user roles | ||
+ | * connects predicates according to the policies into the where clause when searching or auto-completing data ('' | ||
+ | * evaluates available operations over the given domain objects on the level of REST '' | ||
+ | |||
+ | <note important> | ||
+ | Configured authorization policy is persisted with selected '' | ||
+ | </ | ||
+ | |||
+ | <note important> | ||
+ | When implementing '' | ||
+ | </ | ||
+ | |||
+ | <note important> | ||
+ | When implementing '' | ||
+ | </ | ||
+ | |||
+ | ===== Additional base permissions ===== | ||
+ | |||
+ | For some entities was added additional base permissions, | ||
+ | |||
+ | ==== Identity ==== | ||
+ | |||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | ==== Role==== | ||
+ | |||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | ==== Identity role==== | ||
+ | |||
+ | * '' | ||
+ | |||
+ | ==== Identity contract ==== | ||
+ | |||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | ===== Cache ===== | ||
+ | |||
+ | Cache is used for evaluating authorization policies and permissions by '' | ||
+ | |||
+ | * **'' | ||
+ | * **'' | ||
+ | |||
+ | ===== Base authorization evaluators ===== | ||
+ | |||
+ | ==== AbstractAuthorizationEvaluator ==== | ||
+ | |||
+ | Adds the default implementation of the '' | ||
+ | |||
+ | ==== AbstractTransitiveEvaluator ==== | ||
+ | |||
+ | Serves as a parent for evaluating permissions according to the derived objects - for example, I have a permission for the assigned role if I have a permission for the identity, etc. See the children of this abstract class below ('' | ||
+ | |||
+ | === Parameters === | ||
+ | * **Use permissions** ('' | ||
+ | |||
+ | ==== BasePermissionEvaluator ==== | ||
+ | Serves for assigning the configured permission for the configured domain type - for all the data of the given type. It can be used when we want to give an access to an agenda including the access to all data. **It is used, for example, for an admin with the configuration - any type (permissions for all the '' | ||
+ | < | ||
+ | |||
+ | ==== UuidEvaluator ==== | ||
+ | |||
+ | " | ||
+ | |||
+ | ==== CodeableEvaluator ==== | ||
+ | |||
+ | " | ||
+ | |||
+ | ==== SelfIdentityEvaluator ==== | ||
+ | |||
+ | Gives currently logged user a permission to work with his own identity. | ||
+ | |||
+ | ==== IdentityByFormProjectionEvaluator ==== | ||
+ | |||
+ | @since 10.3.0 | ||
+ | |||
+ | A permission for identities by user type. | ||
+ | |||
+ | === Parameters === | ||
+ | * **User type** ('' | ||
+ | |||
+ | ==== SubordinatesEvaluator ==== | ||
+ | |||
+ | A permission for contracts which are my subordinates. [[..: | ||
+ | |||
+ | ==== SubordinateContractEvaluator ==== | ||
+ | |||
+ | @since 10.3.0 | ||
+ | |||
+ | A permission for identities which are my subordinate contracts. [[..: | ||
+ | |||
+ | ==== IdentityContractByIdentityEvaluator ==== | ||
+ | |||
+ | Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. '' | ||
+ | |||
+ | === Parameters === | ||
+ | * **Use permissions** ('' | ||
+ | |||
+ | <note warning> | ||
+ | |||
+ | ==== IdentityByContractEvaluator ==== | ||
+ | |||
+ | @since 10.3.0 | ||
+ | |||
+ | Gives a permission for identity according to the permission for identity contract => e.g. if I have a permission to read an contract, I have a permission to read its identity. | ||
+ | |||
+ | <note warning> | ||
+ | |||
+ | ==== ContractGuaranteeByIdentityContractEvaluator ==== | ||
+ | |||
+ | Gives a permission for guarantees of a industrial relation (setting a guarantee " | ||
+ | |||
+ | ==== IdentityRoleByIdentityEvaluator ==== | ||
+ | |||
+ | Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. '' | ||
+ | |||
+ | ==== IdentityRoleByContractEvaluator ==== | ||
+ | |||
+ | @since 10.3.0 | ||
+ | |||
+ | Gives a permission for assigned roles according to the permission for the contract => e.g. If I have a permission to read an contract, I have a permission to read its assigned roles. '' | ||
+ | |||
+ | ==== IdentityRoleByRoleEvaluator ==== | ||
+ | |||
+ | @since 9.7.12 | ||
+ | |||
+ | Gives a permission for assigned roles according to the permission for the role definition => e.g. If I have a permission to read an role, I have a permission to read its assigned roles. '' | ||
+ | It's usable mainly with can be requested permission - enables copying assigned roles from other identity. | ||
+ | |||
+ | === Parameters === | ||
+ | * **Can be requested only** ('' | ||
+ | |||
+ | <note tip>If you want to enable copying all assigned roles (the same behavior < @9.7.12), then configure '' | ||
+ | |||
+ | |||
+ | ==== RoleGuaranteeEvaluator ==== | ||
+ | |||
+ | Gives a permission to work with roles which I guarantee. Role guarantee can be configured by: | ||
+ | * **identity** - concrete identity can be selected as role guarantee | ||
+ | * **role** - identities with selected role assigned will be role guarantees. | ||
+ | |||
+ | This evaluator solves both ways (or). | ||
+ | |||
+ | Evaluator can be used for UC, when role guarantee can assign his roles to users (@since 11.1.0). The authorization policies can be set as follows: | ||
+ | * Permission to work with guaranteed roles: Roles (IdmRole) | View in select box (autocomplete), | ||
+ | * Permission to all identities: Users (IdmIdentity) | Read | BasePermissionEvaluator | ||
+ | * Permission to assign new role to all contracts: Contracted positions (IdmIdentityContract) | Can be requested | BasePermissionEvaluator | ||
+ | * Permission to read all assigned roles: Assigned roles (IdmIdentityRole) | - | IdentityRoleByIdentityEvaluator | ||
+ | * Permission to assign guaranteed roles: Assigned roles (IdmIdentityRole) | **Can be requested only:true** | IdentityRoleByRoleEvaluator | ||
+ | |||
+ | ==== AuthorizationPolicyByRoleEvaluator ==== | ||
+ | |||
+ | Gives a permission for authorization policies according to the permission for a role => e.g. if I have a permission to read a role, I have permission the authorization policies assigned to it. If I have a permission to edit a role, I have a permission to edit (add or delete) authorization policies assigned to it. | ||
+ | |||
+ | ==== RoleTreeNodeByRoleEvaluator ==== | ||
+ | |||
+ | Gives a permission for automatic roles according to the permission for a role => e.g. if I have a permission to read a role, I have | ||
+ | a permission to read the automatic roles assigned to it. if I have a permission to edit a role, I have a permission to edit (add or delete) the automatic roles assigned to it. | ||
+ | |||
+ | ==== ConfigurationEvaluator ==== | ||
+ | |||
+ | Gives a permission for [[..: | ||
+ | |||
+ | ==== RoleCanBeRequestedEvaluator ==== | ||
+ | Assigns permissions for a role according to the role attribute " | ||
+ | |||
+ | ==== RoleAccountByRoleEvaluator ==== | ||
+ | |||
+ | Gives a permission for accounts in system according to the permission for the role => e.g. If I have a permission to read a role, I have a permission to read its accounts in system. '' | ||
+ | |||
+ | ==== RoleCatalogueAccountByRoleCatalogueEvaluator ==== | ||
+ | |||
+ | Gives a permission for accounts in system according to the permission for the role catalogue => e.g. If I have a permission to read a role catalogue, I have a permission to read its accounts in system. '' | ||
+ | ==== SelfRoleRequestEvaluator ==== | ||
+ | |||
+ | Gives currently logged user a permission to work with his own role requests. This functionality can be configured another way - by combination '' | ||
+ | |||
+ | ==== RoleRequestByIdentityEvaluator ==== | ||
+ | |||
+ | Gives a permission for role requests according to the permission for the identity => e.g. If I have a permission to read a identity, I have a permission to read its role requests. '' | ||
+ | |||
+ | ==== RoleRequestByWfInvolvedIdentityEvaluator ==== | ||
+ | |||
+ | Gives a permission to work with role requests which I has to approve. All involved identities (approver, applicant, implementer ...) will have this permission. This policy is needed for workflow approval, where approver doesn' | ||
+ | |||
+ | ==== TreeAccountByRoleEvaluator ==== | ||
+ | |||
+ | Gives a permission for accounts in tree node according to the permission for the role => e.g. If I have a permission to read a role, I have a permission to read its accounts in tree node. '' | ||
+ | |||
+ | ==== FormAttributteByDefinitionEvaluator ==== | ||
+ | |||
+ | Gives a permission for form attributes according to the permission for the form definition => e.g. If I have a permission to read a form definition, I have a permission to read its attributes. '' | ||
+ | |||
+ | |||
+ | ==== FormAttributteByCodeListEvaluator ==== | ||
+ | |||
+ | @since 9.4.0 | ||
+ | |||
+ | Gives a permission for form attributes according to the permission for the code list => e.g. If I have a permission to read a code list, I have a permission to read its attributes. | ||
+ | |||
+ | ==== CodeListItemByCodeListEvaluator ==== | ||
+ | |||
+ | @since 9.4.0 | ||
+ | |||
+ | Gives a permission for code list items according to the permission for the code list => e.g. If I have a permission to read a code list, I have a permission to read its items. | ||
+ | |||
+ | ==== CodeListItemByCodeEvaluator ==== | ||
+ | |||
+ | @since 10.3.0 | ||
+ | |||
+ | Gives a permission for code list items according to the permission for the code list and item codes. | ||
+ | |||
+ | === Parameters === | ||
+ | * **Code list** ('' | ||
+ | * **Items** ('' | ||
+ | |||
+ | ==== VsRequestByImplementerEvaluator ==== | ||
+ | |||
+ | For show requests only for assigned implementers. With this evaluator can user show and edit only requests where is implementer (directly or from roles). | ||
+ | |||
+ | ==== ReadAccountByIdentityEvaluator ==== | ||
+ | <note important> | ||
+ | For show accounts only for identities witch have relation (via identity-account entity) on the accounts. With this evaluator can user show accounts where is owner. | ||
+ | |||
+ | ==== IdentityAccountByAccountEvaluator ==== | ||
+ | |||
+ | For show identity-accounts only for identities witch have permissions on the accounts. With this evaluator can user show and edit only identity-accounts where is owner for the accounts. | ||
+ | |||
+ | ==== SelfReportEvaluator ==== | ||
+ | |||
+ | Gives currently logged identity a permission to work with his own reports => logged identity is report creator. | ||
+ | |||
+ | ==== IdentityFormValueEvaluator ==== | ||
+ | |||
+ | @since 8.2.0 | ||
+ | |||
+ | <note tip> | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | Permissions to identity form attribute values. By definition (main if not specified) and attrinute codes (all if not specified). | ||
+ | |||
+ | Evaluating authorization policies for identity extended form attributes has to be enabled by [[..: | ||
+ | |||
+ | === Parameters === | ||
+ | * **Form definition** ('' | ||
+ | * **Attributes** ('' | ||
+ | * **Logged user only** ('' | ||
+ | * **By permission to update user** ('' | ||
+ | * **By permission to read user** ('' | ||
+ | |||
+ | ==== IdentityContractFormValueEvaluator ==== | ||
+ | |||
+ | @since 10.2.0 | ||
+ | |||
+ | <note tip> | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | Permissions to contract form attribute values. By definition (main if not specified) and attrinute codes (all if not specified). | ||
+ | Configure permissions for form definitions together with this evaluator - '' | ||
+ | |||
+ | === Parameters === | ||
+ | * **Form definition** ('' | ||
+ | * **Attributes** ('' | ||
+ | * **By permission to update contract** ('' | ||
+ | * **By permission to read contract** ('' | ||
+ | |||
+ | |||
+ | ==== RoleCatalogueRoleByRoleEvaluator ==== | ||
+ | |||
+ | @since 9.0.0 | ||
+ | |||
+ | Permissions to assigned role catalogue relations by role. If i have permission to role, i have permission to role catalogue relations. | ||
+ | |||
+ | |||
+ | ==== RoleCompositionBySubRoleEvaluator ==== | ||
+ | |||
+ | @since 9.0.0 | ||
+ | |||
+ | Permissions to business roles by sub role. If i have permission to role, i have permission to business roles (compositions) with this role defined in sub role relation. | ||
+ | |||
+ | ==== RoleCompositionBySuperiorRoleEvaluator ==== | ||
+ | |||
+ | @since 9.0.0 | ||
+ | |||
+ | Permissions to business roles by superior role. If i have permission to role, i have permission to business roles (compositions) with this role defined in superior role relation. | ||
+ | |||
+ | ==== RoleGuaranteeByRoleEvaluator ==== | ||
+ | |||
+ | @since 9.0.0 | ||
+ | |||
+ | Permissions to assigned guarantees (by identity) by role. | ||
+ | |||
+ | ==== RoleFormAttributeByRoleEvaluator ==== | ||
+ | |||
+ | @since 9.4.0 | ||
+ | |||
+ | Permissions to role attributes (subdefinition) by role. | ||
+ | |||
+ | ==== RoleGuaranteeRoleByRoleEvaluator ==== | ||
+ | |||
+ | @since 9.0.0 | ||
+ | |||
+ | Permissions to assigned guarantees (by role) by role. | ||
+ | |||
+ | ==== ContractPositionByIdentityContractEvaluator ==== | ||
+ | |||
+ | @since 9.1.0 | ||
+ | |||
+ | Permissions to assigned other contract positions by identity contract. If i have permission to identity contract, i have permission to other contract positions. | ||
+ | |||
+ | ==== SelfProfileEvaluator ==== | ||
+ | |||
+ | @since 9.2.0 | ||
+ | |||
+ | Gives currently logged user a permission to work with his own profile. | ||
+ | |||
+ | ==== ProfileByIdentityEvaluator ==== | ||
+ | |||
+ | @since 9.2.0 | ||
+ | |||
+ | Permissions to profiles by identity. If i have permission to identity, i have permission to their profile. | ||
+ | |||
+ | === Parameters === | ||
+ | * **By permission to read user** ('' | ||
+ | |||
+ | ==== SelfIdentityRoleEvaluator ==== | ||
+ | |||
+ | @since 9.3.0 | ||
+ | |||
+ | Permissions to identity roles. User can manipulate with his own roles. With basic settings for user you dont need this, beacause exist evaluator **IdentityRoleByIdentityEvaluator** and every identity can read all roles for identities that can read. | ||
+ | |||
+ | ==== SelfContractEvaluator ==== | ||
+ | |||
+ | @since 10.4.0 | ||
+ | |||
+ | Permissions to contracts. User can manipulate with his own contracts. | ||
+ | ==== Universal request agenda (IdmRequest - evaluators) ==== | ||
+ | |||
+ | [[devel: | ||
+ | |||
+ | ==== RoleByRoleCatalogueEvaluator ==== | ||
+ | @since 10.3.0 for **LTS version** is available similar evaluator in [[devel: | ||
+ | |||
+ | Documentation for the evaluator is available [[devel: | ||
+ | |||
+ | ==== IdentityByTreeNodeEvaluator ==== | ||
+ | @since 10.3.0 for **LTS version** is available similar evaluator in [[devel: | ||
+ | |||
+ | Documentation for the evaluator is available [[devel: | ||
+ | |||
+ | ===== Default policies ===== | ||
+ | |||
+ | The configuration of default permissions for agendas and data for all logged in users is carried out through the default role according to the [[..: | ||
+ | |||
+ | |||
+ | <note tip>The business roles are supported with the default role => the user will get all authorization policies from default and all sub roles.</ | ||
+ | |||
+ | ===== Examples of configuration ===== | ||
+ | |||
+ | ==== Default settings of permissions for an identity profile ==== | ||
+ | |||
+ | This is a typical setting for the **userRole** - regular user as defined in the [[..: | ||
+ | |||
+ | If we want to read an identity profile including its assigned roles and IR, to enable password change and to request roles, it is possible to set the default role authorization policies as follows: | ||
+ | * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, | ||
+ | * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | ||
+ | * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12) | ||
+ | * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | **Can be requested only: true** | IdentityRoleByRoleEvaluator | ||
+ | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: | ||
+ | * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | ||
+ | * Permission to read guarantees of IR: Industrial relation guarantees (IdmContractGuarantee) | - | ContractGuaranteeByIdentityContractEvaluator | ||
+ | * Permission to read one's own role requests: Role requests (IdmRoleRequest) | Read, Delete, Update, Create | SelfRoleRequestEvaluator | ||
+ | * Permission to read role requests according to identity: Requests for assigned roles (IdmRoleRequest) | - | RoleRequestByIdentityEvaluator | ||
+ | * Permission to read role requests in workflow approval: Requests for assigned roles (IdmRoleRequest) | Read, Update, Create, Delete | RoleRequestByWfInvolvedIdentityEvaluator | ||
+ | * Permission to read and execute for tasks: Workflow - tasks | Read, Execute | BasePermissionEvaluator (since the version 7.7.0) | ||
+ | * Permission to read and change indetity profile: Identity profile (IdmProfile) | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0) | ||
+ | * Enabling the autocomplete for entities: | ||
+ | * Users (IdmIdentity) | Displaying in autocomplete, | ||
+ | * User profile (picture) (IdmProfile) | Displaying in autocomplete, | ||
+ | * Role (IdmRole) | Displaying in autocomplete, | ||
+ | * Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, | ||
+ | * Industrial relations (IdmIdentityContract) | Displaying in autocomplete, | ||
+ | * Structure types (IdmTreeType) | Displaying in autocomplete, | ||
+ | * Tree nodes (IdmTreeNode) | Displaying in autocomplete, | ||
+ | * Accounts (AccAccount) | - | ReadAccountByIdentityEvaluator | ||
+ | * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator | ||
+ | * Connected systems | Displaying in autocomplete, | ||
+ | * Scheduler (IdmLongRunningTask) | Displaying in autocomplete, | ||
+ | * Code lists (IdmCodeList) | Displaying in autocomplete, | ||
+ | * Code lists - items (IdmCodeListItem) | Displaying in autocomplete, | ||
+ | * Permission to read and solve one's requests on virtual systems: Requests on virtual systems (VsRequest) | Administration | VsRequestByImplementerEvaluator ([[tutorial: | ||
+ | |||
+ | <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity '' | ||
+ | |||
+ | <note tip>From version 9.7.12 it's required '' | ||
+ | |||
+ | === Manager and subordinates === | ||
+ | |||
+ | If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: | ||
+ | * **add** following **permissions** to the userRole: | ||
+ | * Users (IdmIdentity) | View in select box (autocomplete), | ||
+ | * Contracts (IdmIdentityContract) | View in select box (autocomplete), | ||
+ | * Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator** | ||
+ | |||
+ | <note tip>This configuration is available from version 10.3.0. If you are using some older version, add one permission instead: | ||
+ | * Users (IdmIdentity) | View in select box (autocomplete), | ||
+ | |||
+ | **With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0. | ||
+ | </ | ||
+ | |||
+ | ==== Default settings of permissions for delegations ==== | ||
+ | |||
+ | Default settings of permissions for delegations are defined in the role ' | ||
+ | |||
+ | <note tip>You can see a detailed configuration of evaluators with comments here: | ||
+ | [[https:// | ||
+ | |InitDelegationRoleProcessor]]</ | ||
+ | |||
+ | ==== Settings of permissions for the Helpdesk role ==== | ||
+ | |||
+ | The Helpdesk role as defined in the [[..: | ||
+ | * Permission to read and change passwords of all identities: Users (IdmIdentity) | Displaying in autocomplete, | ||
+ | * Permission to read audit: Audit | Read | BasePermissionEvaluator | ||
+ | * Permission to see sent notifications: | ||
+ | * Permission to see provisioning operations (queue): Provisioning - operations in queue (SysProvisioningOperation) | Read | BasePermissionEvaluator | ||
+ | * Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator | ||
+ | |||
+ | ==== Settings of permissions for virtual system implementer | ||
+ | |||
+ | The virtual system implementer (~approver) role should have following additional permissions: | ||
+ | * Permission to admin virtual system requests: Requests on virtual systems (VsRequest ) | Administration (all) | VsRequestByImplementerEvaluator | ||
+ | ==== Default settings of permissions for a role detail ==== | ||
+ | |||
+ | If we want to read and edit roles where we are a guarantee, including the assigned permissions, | ||
+ | * Permission to read guaranteed roles: Role (IdmRole) | Reading, Editing | RoleGuaranteeEvaluator | ||
+ | * Permission to read configured role guarantees: | ||
+ | * Role authorizers - by identity (IdmRoleGuarantee) | - | RoleGuaranteeByRoleEvaluator | ||
+ | * Role authorizers - by role (IdmRoleGuaranteeRole) | - | RoleGuaranteeRoleByRoleEvaluator | ||
+ | * Permission to read automatic roles (tree) by role: Automatic roles (IdmRoleTreeNode) | - | RoleTreeNodeByRoleEvaluator | ||
+ | * Permission to autocomplete automatic roles (tree): Automatic roles (IdmRoleTreeNode) | Displaying in autocomplete, | ||
+ | * Permission to read automatic roles (attributes) by role: | ||
+ | * Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Displaying in autocomplete, | ||
+ | * Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule)| Read | BasePermissionEvaluator | ||
+ | * Permissions to read request for automatic roles (both): | ||
+ | * Requests for automatic roles (IdmAutomaticRoleRequest) | Read | BasePermissionEvaluator | ||
+ | * Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | - | AutomaticRoleRuleRequestByRequestEvaluator | ||
+ | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update | AutomaticRoleRequestByWfInvolvedIdentityEvaluator. For create new or delete an automatic role request add another evaluator (for example BasePermissionEvaluator to choosed users). Add also autocomplete permission to IdmAutomaticRoleAttribute (if you use automatic roles by attributes) and IdmRoleTreeNode (if you use automatic roles by organizations.). | ||
+ | * Permission to read permissions by role: Permission (IdmAuthorizationPolicy) | - | AuthorizationPolicyByRoleEvaluator | ||
+ | * Permission to read accounts: Accounts in system | Read | BasePermissionEvaluator | ||
+ | * Permission to read accounts relations by role: Role accounts (AccRoleAccount) | - | RoleAccountByRoleEvaluator | ||
+ | * Permission to read assigned catalogue items by role: Role catalog - assigned roles (IdmRoleCatalogueRole) | - | RoleCatalogueRoleByRoleEvaluator | ||
+ | * Permission to read defined business roles (role composition): | ||
+ | * Business roles definition (IdmRoleComposition) | - | [[# | ||
+ | * Business roles definition (IdmRoleComposition) | - | [[# | ||
+ | * Permission to autocomplete form definitions: | ||
+ | * Role attributes (subdefnition) (IdmRoleFormAttribute) | - | RoleFormAttributeByRoleEvaluator | ||
+ | |||
+ | ==== Default settings of permissions for a code list admin ==== | ||
+ | |||
+ | If wee want to configure application code list, the authorization policies can be set as follows: | ||
+ | * Permission to admin code lists: Code lists (IdmCodeList) | Admin | BasePermissionEvaluator | ||
+ | * Permission to admin code list items by code lists: Code lists - items (IdmCodeListItem) | - | [[# | ||
+ | * Permission to admin code list extended attributes: Forms - attributes (IdmFormAttribute) | - | [[# | ||
+ | |||
+ | ==== Settings of permissions of identity basic attributes ==== | ||
+ | |||
+ | If we want to enable for currently logged identity change all basic identity attributes (e.g. login, first name, surname), the authorization policies can be set as follows: | ||
+ | * Permission to update identity and attributes: Users (IdmIdentity) | **Update**, Change phone, Change personal number, Change note, Change login, Change user type (projection), | ||
+ | |||
+ | <note tip>Can be combined with [[# | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | ==== Settings of permissions of identity form (extended) attribute values ==== | ||
+ | |||
+ | If we want to enable for currently logged identity read / update for some form attributes (e.g '' | ||
+ | * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, | ||
+ | * Permission to update '' | ||
+ | * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will not get permissions to edit other users. | ||
+ | |||
+ | ==== Settings of permissions of contract form (extended) attribute values ==== | ||
+ | |||
+ | If we want to enable for currently logged identity read / update for some contract form attributes (e.g. '' | ||
+ | * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, | ||
+ | * Permission to update '' | ||
+ | |||
+ | |||
+ | ==== Settings which enable skipping of the role approvement ==== | ||
+ | |||
+ | Assignment of roles is normally approved by the standard [[devel: | ||
+ | * Permission to directly execute role requests: Role requests (IdmRoleRequest) | Execute | BasePermissionEvaluator | ||
+ | |||
+ | ===== Employing policies for a new domain type - entity ===== | ||
+ | |||
+ | To employ permissions for data for a new domain type it is necessary: | ||
+ | * to implement the interface '' | ||
+ | * To implement a new rule if the universal ones (see above) do not suffice. In order to simplify the implementation of a new rule, the class '' | ||
+ | |||
+ | <code java> | ||
+ | /** | ||
+ | * Adds permission for creating a new role only | ||
+ | * | ||
+ | */ | ||
+ | @Component | ||
+ | @Description(" | ||
+ | public class RoleWriteNewOnlyEvaluator extends AbstractAuthorizationEvaluator< | ||
+ | |||
+ | @Override | ||
+ | public Set< | ||
+ | Set< | ||
+ | permissions.add(IdmBasePermission.CREATE.getName()); | ||
+ | return permissions; | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | * the rest is taken care of by '' |