Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:security:dev:authorization [2019/05/13 06:40]
tomiskar 		devel:documentation:security:dev:authorization [2019/08/22 06:52]
tomiskar [Authorization policies]
Line 20: Line 20:
 **Real life example**: **Real life example**:
  
-Let there be an agenda of roles. **To be able to select from the roles dial** (e.g. when requesting roles) **we need to be assigned a permission for an agenda of autocomplete for roles** ''Role - AUTOCOMPLETE'' or //Displaying in autocomplete, selections// for instance with the evaluation type ''BasePermissionEvaluator''.+Let there be an agenda of identities. **To be able to select from the identity dial** (e.g. in filters) **we need to be assigned a permission for an agenda of autocomplete for identities** ''Identity - AUTOCOMPLETE'' or //Displaying in autocomplete, selections// for instance with the evaluation type ''BasePermissionEvaluator''.
 </note> </note>
  
Line 73: Line 73:
   * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed.   * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed.
   * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.   * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
 +  * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button.
 +  * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button.
 +
 +==== Role====
 +
 +  * ''CANBEREQUESTED'' - role, which can be requested. Used in role request and bulk actions for assign role.
  
 ===== Base authorization evaluators ===== ===== Base authorization evaluators =====
Line 299: Line 305:
   * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, reading, change password, manage authorizations | SelfIdentityEvaluator   * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, reading, change password, manage authorizations | SelfIdentityEvaluator
   * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator   * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator
 +  * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator
   * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator   * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator
   * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator   * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator
Line 306: Line 313:
   * Permission to read role requests in workflow approval: Requests for assigned roles (IdmRoleRequest) | Read, Update, Create, Delete | RoleRequestByWfInvolvedIdentityEvaluator   * Permission to read role requests in workflow approval: Requests for assigned roles (IdmRoleRequest) | Read, Update, Create, Delete | RoleRequestByWfInvolvedIdentityEvaluator
   * Permission to read and execute for tasks: Workflow - tasks | Read, Execute | BasePermissionEvaluator (since the version 7.7.0)   * Permission to read and execute for tasks: Workflow - tasks | Read, Execute | BasePermissionEvaluator (since the version 7.7.0)
-  * Permission to read and change indetity profile: Identity profile | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0)+  * Permission to read and change indetity profile: Identity profile (IdmProfile) | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0)
   * Enabling the autocomplete for entities:   * Enabling the autocomplete for entities:
     * User profile (picture) (IdmProfile) | Displaying in autocomplete, selections | BasePermissionEvaluator     * User profile (picture) (IdmProfile) | Displaying in autocomplete, selections | BasePermissionEvaluator
     * Users (IdmIdentity) | Displaying in autocomplete, selections | BasePermissionEvaluator     * Users (IdmIdentity) | Displaying in autocomplete, selections | BasePermissionEvaluator
-    * Role (IdmRole) | Displaying in autocomplete, selections | **RoleCanBeRequestedEvaluator** (this is necessary to filter roles by the "Can be requested" attribute in the role requests).+    * Role (IdmRole) | Displaying in autocomplete, selections | BasePermissionEvaluator
     * Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, selections | BasePermissionEvaluator     * Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, selections | BasePermissionEvaluator
     * Industrial relations (IdmIdentityContract) | Displaying in autocomplete, selections | BasePermissionEvaluator     * Industrial relations (IdmIdentityContract) | Displaying in autocomplete, selections | BasePermissionEvaluator
Line 318: Line 325:
     * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator       **(<- use this only when using acc module)**     * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator       **(<- use this only when using acc module)**
     * Connected systems | Displaying in autocomplete, selections | BasePermissionEvaluator      * Connected systems | Displaying in autocomplete, selections | BasePermissionEvaluator 
-  * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possible in wrong place.+  * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place.
   * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator   * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator
  
 If you want to enable the managers of the users to read their subordinates and change their permissions, add following permissions to the userRole: If you want to enable the managers of the users to read their subordinates and change their permissions, add following permissions to the userRole:
   * Users (IdmIdentity) | Manage authorizations, View in select box (autocomplete), Read | SubordinatesEvaluator   * Users (IdmIdentity) | Manage authorizations, View in select box (autocomplete), Read | SubordinatesEvaluator
 +
 +<note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity ''UPDATE''. But exits own permissions for each operation (''MANUALLYDISABLE'' or ''MANUALLYENABLE'')</note>
  
 ==== Settings of permissions for the Helpdesk role ==== ==== Settings of permissions for the Helpdesk role ====
Line 330: Line 339:
   * Permission to read audit: Audit | Read | BasePermissionEvaluator   * Permission to read audit: Audit | Read | BasePermissionEvaluator
   * Permission to see sent notifications: Notifications | Read | BasePermissionEvaluator   * Permission to see sent notifications: Notifications | Read | BasePermissionEvaluator
-  * FIXME add permissions to see the provisioning queue and archive+  * Permission to see provisioning operations (queue): Provisioning - operations in queue (SysProvisioningOperation) | Read | BasePermissionEvaluator 
 +  * Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator
  
 ==== Default settings of permissions for a role detail ==== ==== Default settings of permissions for a role detail ====
  • by koulaj