Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:security:dev:authorization [2019/08/22 06:01]
tomiskar [Default settings of permissions for an identity profile] 		devel:documentation:security:dev:authorization [2019/11/13 07:28]
tomiskar [IdentityRoleByRoleEvaluator]
Line 20: Line 20:
 **Real life example**: **Real life example**:
  
-Let there be an agenda of roles. **To be able to select from the roles dial** (e.g. when requesting roles) **we need to be assigned a permission for an agenda of autocomplete for roles** ''Role - AUTOCOMPLETE'' or //Displaying in autocomplete, selections// for instance with the evaluation type ''BasePermissionEvaluator''.+Let there be an agenda of identities. **To be able to select from the identity dial** (e.g. in filters) **we need to be assigned a permission for an agenda of autocomplete for identities** ''Identity - AUTOCOMPLETE'' or //Displaying in autocomplete, selections// for instance with the evaluation type ''BasePermissionEvaluator''.
 </note> </note>
  
Line 121: Line 121:
  
 Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles. Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles.
 +
 +==== IdentityRoleByRoleEvaluator ====
 +
 +@since 9.7.12
 +
 +Gives a permission for assigned roles according to the permission for the role definition => e.g. If I have a permission to read an role, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the role, I have a permission to edit its assigned roles.
 +It's usable mainly with can be requested permission - enables copying assigned roles from other identity.
 +
 +=== Parameters ===
 +  * **Can be requested only** (''can-be-requested-only'') - Add permission for role requests only (can be requested). Usable, when assigned roles need to be copied from another user. **Other permissions will not be added.**
 +
 +<note tip>If you want to enable copying all assigned roles (the same behavior < @9.7.12), then configure ''BasePermissionEvaluator'' with ''Can be requested'' permission to all assigned roles (``IdmIdentityRole``).</note>
  
  
  • by koulaj