Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:security:dev:authorization [2019/08/15 14:48] kopro [Default settings of permissions for an identity profile] |
devel:documentation:security:dev:authorization [2019/11/13 07:19] tomiskar [IdentityRoleByIdentityEvaluator] |
||
---|---|---|---|
Line 20: | Line 20: | ||
**Real life example**: | **Real life example**: | ||
- | Let there be an agenda of roles. **To be able to select from the roles dial** (e.g. when requesting roles) **we need to be assigned a permission for an agenda of autocomplete for roles** '' | + | Let there be an agenda of identities. **To be able to select from the identity |
</ | </ | ||
Line 75: | Line 75: | ||
* '' | * '' | ||
* '' | * '' | ||
+ | |||
+ | ==== Role==== | ||
+ | |||
+ | * '' | ||
===== Base authorization evaluators ===== | ===== Base authorization evaluators ===== | ||
Line 117: | Line 121: | ||
Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. '' | Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. '' | ||
+ | |||
+ | ==== IdentityRoleByRoleEvaluator ==== | ||
+ | |||
+ | @since 9.7.12 | ||
+ | |||
+ | Gives a permission for assigned roles according to the permission for the role definition => e.g. If I have a permission to read an role, I have a permission to read its assigned roles. '' | ||
+ | It's usable mainly with can be requested permission - enables copying assigned roles from other identity. | ||
+ | |||
+ | === Parameters === | ||
+ | * **Can be requested only** ('' | ||
Line 295: | Line 309: | ||
==== Default settings of permissions for an identity profile ==== | ==== Default settings of permissions for an identity profile ==== | ||
- | |||
- | <note tip>From version 9.7.3 is'n feature manually disabled and manually enabled for user allowed by permission Identity UPDATE. But exits own permissions for each operation (MANUALLYDISABLE and MANUALLYENABLE)</ | ||
This is a typical setting for the **userRole** - regular user as defined in the [[..: | This is a typical setting for the **userRole** - regular user as defined in the [[..: | ||
Line 303: | Line 315: | ||
* Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, | * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, | ||
* Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | ||
+ | * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator | ||
* Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator | ||
* Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | ||
Line 314: | Line 327: | ||
* User profile (picture) (IdmProfile) | Displaying in autocomplete, | * User profile (picture) (IdmProfile) | Displaying in autocomplete, | ||
* Users (IdmIdentity) | Displaying in autocomplete, | * Users (IdmIdentity) | Displaying in autocomplete, | ||
- | * Role (IdmRole) | Displaying in autocomplete, | + | * Role (IdmRole) | Displaying in autocomplete, |
* Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, | * Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, | ||
* Industrial relations (IdmIdentityContract) | Displaying in autocomplete, | * Industrial relations (IdmIdentityContract) | Displaying in autocomplete, | ||
Line 327: | Line 340: | ||
If you want to enable the managers of the users to read their subordinates and change their permissions, | If you want to enable the managers of the users to read their subordinates and change their permissions, | ||
* Users (IdmIdentity) | Manage authorizations, | * Users (IdmIdentity) | Manage authorizations, | ||
+ | |||
+ | <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity '' | ||
==== Settings of permissions for the Helpdesk role ==== | ==== Settings of permissions for the Helpdesk role ==== |