Differences

This shows you the differences between two versions of the page.

--- devel:documentation:security:dev:authorization [2019/08/20 06:00]
tomiskar
+++ devel:documentation:security:dev:authorization [2020/01/30 14:18]
apeterova skip role approve permission
@@ Line 20: / Line 20: @@
 **Real life example**:
-Let there be an agenda of roles. **To be able to select from the roles dial** (e.g. when requesting roles) **we need to be assigned a permission for an agenda of autocomplete for roles** ''Role - AUTOCOMPLETE'' or //Displaying in autocomplete, selections// for instance with the evaluation type ''BasePermissionEvaluator''.
+Let there be an agenda of identities. **To be able to select from the identity dial** (e.g. in filters) **we need to be assigned a permission for an agenda of autocomplete for identities** ''Identity - AUTOCOMPLETE'' or //Displaying in autocomplete, selections// for instance with the evaluation type ''BasePermissionEvaluator''.
 </note>
@@ Line 75: / Line 75: @@
   * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button.
   * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button.
+==== Role====
+  * ''CANBEREQUESTED'' - role, which can be requested. Used in role request and bulk actions for assign role.
+==== Identity role====
+  * ''CANBEREQUESTED'' - role, which can be requested. Used in copying assigned roles by other identity.
 ===== Base authorization evaluators =====
@@ Line 117: / Line 126: @@
 Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles.
+==== IdentityRoleByRoleEvaluator ====
+@since 9.7.12
+Gives a permission for assigned roles according to the permission for the role definition => e.g. If I have a permission to read an role, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the role, I have a permission to edit its assigned roles.
+It's usable mainly with can be requested permission - enables copying assigned roles from other identity.
+=== Parameters ===
+  * **Can be requested only** (''can-be-requested-only'') - Add permission for role requests only (can be requested). Usable, when assigned roles need to be copied from another user. **Other permissions will not be added.**
+<note tip>If you want to enable copying all assigned roles (the same behavior < @9.7.12), then configure ''BasePermissionEvaluator'' with ''Can be requested'' permission to all assigned roles (``IdmIdentityRole``).</note>
@@ Line 301: / Line 322: @@
   * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, reading, change password, manage authorizations | SelfIdentityEvaluator
   * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator
+  * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator
+  * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12)
   * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator
   * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator
@@ Line 312: / Line 335: @@
     * User profile (picture) (IdmProfile) | Displaying in autocomplete, selections | BasePermissionEvaluator
     * Users (IdmIdentity) | Displaying in autocomplete, selections | BasePermissionEvaluator
-    * Role (IdmRole) | Displaying in autocomplete, selections | **RoleCanBeRequestedEvaluator** (this is necessary to filter roles by the "Can be requested" attribute in the role requests).
+    * Role (IdmRole) | Displaying in autocomplete, selections | BasePermissionEvaluator
     * Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, selections | BasePermissionEvaluator
     * Industrial relations (IdmIdentityContract) | Displaying in autocomplete, selections | BasePermissionEvaluator
@@ Line 327: / Line 350: @@
 <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity ''UPDATE''. But exits own permissions for each operation (''MANUALLYDISABLE'' or ''MANUALLYENABLE'')</note>
+<note tip>From version 9.7.12 it's required ''CANBEREQUESTED'' permission for copying roles into request by other identity.</note>
 ==== Settings of permissions for the Helpdesk role ====
@@ Line 373: / Line 398: @@
   * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for identities) identifier
   * Permission to update phone attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition, enter 'phone' as attributes and check logged user only checkbox.
+==== Settings which enable skipping of the role approvement ====
+Assignment of roles is normally approved by the standard [[devel:documentation:role_change|approval process]]. The approval process may be skipped by executing the bulk action for [[tutorial:adm:identities_bulk_actions#roles_assignment|Role assignment]] with unchecked Approve, but only if the user has the following permission:
+  * Permission to directly execute role requests: Role requests (IdmRoleRequest) | Execute | BasePermissionEvaluator
 ===== Employing policies for a new domain type - entity =====