Differences

This shows you the differences between two versions of the page.

--- devel:documentation:security:dev:authorization [2019/08/22 06:01]
tomiskar [Default settings of permissions for an identity profile]
+++ devel:documentation:security:dev:authorization [2019/11/13 07:39]
tomiskar [Default settings of permissions for an identity profile]
@@ Line 20: / Line 20: @@
 **Real life example**:
-Let there be an agenda of roles. **To be able to select from the roles dial** (e.g. when requesting roles) **we need to be assigned a permission for an agenda of autocomplete for roles** ''Role - AUTOCOMPLETE'' or //Displaying in autocomplete, selections// for instance with the evaluation type ''BasePermissionEvaluator''.
+Let there be an agenda of identities. **To be able to select from the identity dial** (e.g. in filters) **we need to be assigned a permission for an agenda of autocomplete for identities** ''Identity - AUTOCOMPLETE'' or //Displaying in autocomplete, selections// for instance with the evaluation type ''BasePermissionEvaluator''.
 </note>
@@ Line 79: / Line 79: @@
   * ''CANBEREQUESTED'' - role, which can be requested. Used in role request and bulk actions for assign role.
+==== Identity role====
+  * ''CANBEREQUESTED'' - role, which can be requested. Used in copying assigned roles by other identity.
 ===== Base authorization evaluators =====
@@ Line 121: / Line 126: @@
 Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles.
+==== IdentityRoleByRoleEvaluator ====
+@since 9.7.12
+Gives a permission for assigned roles according to the permission for the role definition => e.g. If I have a permission to read an role, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the role, I have a permission to edit its assigned roles.
+It's usable mainly with can be requested permission - enables copying assigned roles from other identity.
+=== Parameters ===
+  * **Can be requested only** (''can-be-requested-only'') - Add permission for role requests only (can be requested). Usable, when assigned roles need to be copied from another user. **Other permissions will not be added.**
+<note tip>If you want to enable copying all assigned roles (the same behavior < @9.7.12), then configure ''BasePermissionEvaluator'' with ''Can be requested'' permission to all assigned roles (``IdmIdentityRole``).</note>
@@ Line 306: / Line 323: @@
   * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator
   * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator
+  * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12)
   * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator
   * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator
@@ Line 332: / Line 350: @@
 <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity ''UPDATE''. But exits own permissions for each operation (''MANUALLYDISABLE'' or ''MANUALLYENABLE'')</note>
+<note tip>From version 9.7.12 it's required ''CANBEREQUESTED'' permission for copying roles into request by other identity.</note>
 ==== Settings of permissions for the Helpdesk role ====