Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:security:dev:authorization [2019/02/13 08:22] kotisovam first part moved to the admin section |
devel:documentation:security:dev:authorization [2020/03/26 20:05] tomiskar [IdentityFormValueEvaluator] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== Base interfaces and classes | + | ===== Authorization policies |
- | {{tag> security authorization role }} | + | {{tag> security authorization role policy default user role permissions |
+ | |||
+ | An authorization policy determines which permissions a user in CzechIdM has. | ||
+ | |||
+ | A policy is assigned to a role and everyone with this role gains the permissions determined by the policy as well. | ||
+ | * assigning permissions in CzechIdM via ordinary roles enables managing permissions for CzechIdM by a standard mechanism | ||
+ | |||
+ | The default role " | ||
+ | |||
+ | A new agenda of **authorization policies = permissions for data and agendas** has been tied to a role. Assigning permissions makes available both agendas on the front-end (or rather REST endpoints on the back-end) and permissions for data (make records in these agendas available) to the logged in user. Permissions for agendas (REST endpoints) are assessed according to the set permissions. | ||
+ | |||
+ | <note info>The main idea is that **if an agenda supports a permission for data**, then we cannot see any data in the default state. To see some data we **need** to get / **comply with** a configured **policy**, which we get **based on our assigned roles**. Between policies is **OR** operator => we adding permissions for data.</ | ||
+ | |||
+ | <note important> | ||
+ | **How permissions for agendas and permissions for data work together**: | ||
+ | * To see some data, we need to have at least one role with a policy assigning the permissions. | ||
+ | |||
+ | **Real life example**: | ||
+ | |||
+ | Let there be an agenda of identities. **To be able to select from the identity dial** (e.g. in filters) **we need to be assigned a permission for an agenda of autocomplete for identities** '' | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Base interfaces and classes ===== | ||
Line 50: | Line 73: | ||
* '' | * '' | ||
* '' | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | ==== Role==== | ||
+ | |||
+ | * '' | ||
+ | |||
+ | |||
+ | ==== Identity role==== | ||
+ | |||
+ | * '' | ||
===== Base authorization evaluators ===== | ===== Base authorization evaluators ===== | ||
Line 92: | Line 126: | ||
Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. '' | Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. '' | ||
+ | |||
+ | ==== IdentityRoleByRoleEvaluator ==== | ||
+ | |||
+ | @since 9.7.12 | ||
+ | |||
+ | Gives a permission for assigned roles according to the permission for the role definition => e.g. If I have a permission to read an role, I have a permission to read its assigned roles. '' | ||
+ | It's usable mainly with can be requested permission - enables copying assigned roles from other identity. | ||
+ | |||
+ | === Parameters === | ||
+ | * **Can be requested only** ('' | ||
+ | |||
+ | <note tip>If you want to enable copying all assigned roles (the same behavior < @9.7.12), then configure '' | ||
Line 192: | Line 238: | ||
* **By permission to update user** ('' | * **By permission to update user** ('' | ||
* **By permission to read user** ('' | * **By permission to read user** ('' | ||
+ | |||
+ | ==== IdentityContractFormValueEvaluator ==== | ||
+ | |||
+ | @since 10.2.0 | ||
+ | |||
+ | <note tip> | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | Permissions to contract form attribute values. By definition (main if not specified) and attrinute codes (all if not specified). | ||
+ | Configure permissions for form definitions together with this evaluator - '' | ||
+ | |||
+ | === Parameters === | ||
+ | * **Form definition** ('' | ||
+ | * **Attributes** ('' | ||
+ | * **By permission to update contract** ('' | ||
+ | * **By permission to read contract** ('' | ||
+ | |||
==== RoleCatalogueRoleByRoleEvaluator ==== | ==== RoleCatalogueRoleByRoleEvaluator ==== | ||
Line 276: | Line 340: | ||
* Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, | * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, | ||
* Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | ||
+ | * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator | ||
+ | * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12) | ||
* Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator | ||
* Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | ||
Line 283: | Line 349: | ||
* Permission to read role requests in workflow approval: Requests for assigned roles (IdmRoleRequest) | Read, Update, Create, Delete | RoleRequestByWfInvolvedIdentityEvaluator | * Permission to read role requests in workflow approval: Requests for assigned roles (IdmRoleRequest) | Read, Update, Create, Delete | RoleRequestByWfInvolvedIdentityEvaluator | ||
* Permission to read and execute for tasks: Workflow - tasks | Read, Execute | BasePermissionEvaluator (since the version 7.7.0) | * Permission to read and execute for tasks: Workflow - tasks | Read, Execute | BasePermissionEvaluator (since the version 7.7.0) | ||
- | * Permission to read and change indetity profile: Identity profile | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0) | + | * Permission to read and change indetity profile: Identity profile |
* Enabling the autocomplete for entities: | * Enabling the autocomplete for entities: | ||
* User profile (picture) (IdmProfile) | Displaying in autocomplete, | * User profile (picture) (IdmProfile) | Displaying in autocomplete, | ||
* Users (IdmIdentity) | Displaying in autocomplete, | * Users (IdmIdentity) | Displaying in autocomplete, | ||
- | * Role (IdmRole) | Displaying in autocomplete, | + | * Role (IdmRole) | Displaying in autocomplete, |
* Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, | * Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, | ||
* Industrial relations (IdmIdentityContract) | Displaying in autocomplete, | * Industrial relations (IdmIdentityContract) | Displaying in autocomplete, | ||
Line 295: | Line 361: | ||
* Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator | * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator | ||
* Connected systems | Displaying in autocomplete, | * Connected systems | Displaying in autocomplete, | ||
- | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possible | + | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly |
* Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, | * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, | ||
If you want to enable the managers of the users to read their subordinates and change their permissions, | If you want to enable the managers of the users to read their subordinates and change their permissions, | ||
* Users (IdmIdentity) | Manage authorizations, | * Users (IdmIdentity) | Manage authorizations, | ||
+ | |||
+ | <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity '' | ||
+ | |||
+ | <note tip>From version 9.7.12 it's required '' | ||
==== Settings of permissions for the Helpdesk role ==== | ==== Settings of permissions for the Helpdesk role ==== | ||
Line 307: | Line 377: | ||
* Permission to read audit: Audit | Read | BasePermissionEvaluator | * Permission to read audit: Audit | Read | BasePermissionEvaluator | ||
* Permission to see sent notifications: | * Permission to see sent notifications: | ||
- | * FIXME add permissions | + | * Permission |
+ | * Permission to see provisioning archive: Provisioning - archive | ||
==== Default settings of permissions for a role detail ==== | ==== Default settings of permissions for a role detail ==== | ||
Line 345: | Line 416: | ||
* Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, | * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, | ||
* Permission to update phone attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition, enter ' | * Permission to update phone attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition, enter ' | ||
+ | |||
+ | ==== Settings which enable skipping of the role approvement ==== | ||
+ | |||
+ | Assignment of roles is normally approved by the standard [[devel: | ||
+ | * Permission to directly execute role requests: Role requests (IdmRoleRequest) | Execute | BasePermissionEvaluator | ||
===== Employing policies for a new domain type - entity ===== | ===== Employing policies for a new domain type - entity ===== |