Differences

This shows you the differences between two versions of the page.

--- devel:documentation:security:dev:authorization [2019/02/13 08:22]
kotisovam first part moved to the admin section
+++ devel:documentation:security:dev:authorization [2019/11/13 07:39]
tomiskar [Default settings of permissions for an identity profile]
@@ Line 1: / Line 1: @@
-===== Base interfaces and classes =====
+===== Authorization policies =====
-{{tag> security authorization role }}
+{{tag> security authorization role policy }}
+An authorization policy determines which permissions a user in CzechIdM has.
+A policy is assigned to a role and everyone with this role gains the permissions determined by the policy as well.
+  * assigning permissions in CzechIdM via ordinary roles enables managing permissions for CzechIdM by a standard mechanism
+The default role "User" gives implicit permissions, which all the users in CzechIdM have. This role is not assigned explicitly, it is simply default and is always applied (see the following chapter).
+A new agenda of **authorization policies = permissions for data and agendas** has been tied to a role. Assigning permissions makes available both agendas on the front-end (or rather REST endpoints on the back-end) and permissions for data (make records in these agendas available) to the logged in user. Permissions for agendas (REST endpoints) are assessed according to the set permissions.
+<note info>The main idea is that **if an agenda supports a permission for data**, then we cannot see any data in the default state. To see some data we **need** to get / **comply with** a configured **policy**, which we get **based on our assigned roles**. Between policies is **OR** operator => we adding permissions for data.</note>
+<note important>
+**How permissions for agendas and permissions for data work together**:
+  * To see some data, we need to have at least one role with a policy assigning the permissions.
+**Real life example**:
+Let there be an agenda of identities. **To be able to select from the identity dial** (e.g. in filters) **we need to be assigned a permission for an agenda of autocomplete for identities** ''Identity - AUTOCOMPLETE'' or //Displaying in autocomplete, selections// for instance with the evaluation type ''BasePermissionEvaluator''.
+</note>
+===== Base interfaces and classes =====
@@ Line 50: / Line 73: @@
   * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed.
   * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
+  * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button.
+  * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button.
+==== Role====
+  * ''CANBEREQUESTED'' - role, which can be requested. Used in role request and bulk actions for assign role.
+==== Identity role====
+  * ''CANBEREQUESTED'' - role, which can be requested. Used in copying assigned roles by other identity.
 ===== Base authorization evaluators =====
@@ Line 92: / Line 126: @@
 Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles.
+==== IdentityRoleByRoleEvaluator ====
+@since 9.7.12
+Gives a permission for assigned roles according to the permission for the role definition => e.g. If I have a permission to read an role, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the role, I have a permission to edit its assigned roles.
+It's usable mainly with can be requested permission - enables copying assigned roles from other identity.
+=== Parameters ===
+  * **Can be requested only** (''can-be-requested-only'') - Add permission for role requests only (can be requested). Usable, when assigned roles need to be copied from another user. **Other permissions will not be added.**
+<note tip>If you want to enable copying all assigned roles (the same behavior < @9.7.12), then configure ''BasePermissionEvaluator'' with ''Can be requested'' permission to all assigned roles (``IdmIdentityRole``).</note>
@@ Line 276: / Line 322: @@
   * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, reading, change password, manage authorizations | SelfIdentityEvaluator
   * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator
+  * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator
+  * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12)
   * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator
   * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator
@@ Line 283: / Line 331: @@
   * Permission to read role requests in workflow approval: Requests for assigned roles (IdmRoleRequest) | Read, Update, Create, Delete | RoleRequestByWfInvolvedIdentityEvaluator
   * Permission to read and execute for tasks: Workflow - tasks | Read, Execute | BasePermissionEvaluator (since the version 7.7.0)
-  * Permission to read and change indetity profile: Identity profile | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0)
+  * Permission to read and change indetity profile: Identity profile (IdmProfile) | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0)
   * Enabling the autocomplete for entities:
     * User profile (picture) (IdmProfile) | Displaying in autocomplete, selections | BasePermissionEvaluator
     * Users (IdmIdentity) | Displaying in autocomplete, selections | BasePermissionEvaluator
-    * Role (IdmRole) | Displaying in autocomplete, selections | **RoleCanBeRequestedEvaluator** (this is necessary to filter roles by the "Can be requested" attribute in the role requests).
+    * Role (IdmRole) | Displaying in autocomplete, selections | BasePermissionEvaluator
     * Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, selections | BasePermissionEvaluator
     * Industrial relations (IdmIdentityContract) | Displaying in autocomplete, selections | BasePermissionEvaluator
@@ Line 295: / Line 343: @@
     * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator       **(<- use this only when using acc module)**
     * Connected systems | Displaying in autocomplete, selections | BasePermissionEvaluator
-  * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possible in wrong place.
+  * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place.
   * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator
 If you want to enable the managers of the users to read their subordinates and change their permissions, add following permissions to the userRole:
   * Users (IdmIdentity)	| Manage authorizations, View in select box (autocomplete), Read | SubordinatesEvaluator
+<note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity ''UPDATE''. But exits own permissions for each operation (''MANUALLYDISABLE'' or ''MANUALLYENABLE'')</note>
+<note tip>From version 9.7.12 it's required ''CANBEREQUESTED'' permission for copying roles into request by other identity.</note>
 ==== Settings of permissions for the Helpdesk role ====
@@ Line 307: / Line 359: @@
   * Permission to read audit: Audit | Read | BasePermissionEvaluator
   * Permission to see sent notifications: Notifications | Read | BasePermissionEvaluator
-  * FIXME add permissions to see the provisioning queue and archive
+  * Permission to see provisioning operations (queue): Provisioning - operations in queue (SysProvisioningOperation) | Read | BasePermissionEvaluator
+  * Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator
 ==== Default settings of permissions for a role detail ====