Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:security:dev:authorization [2019/11/13 07:19] tomiskar [IdentityRoleByIdentityEvaluator] |
devel:documentation:security:dev:authorization [2020/03/26 20:05] tomiskar [IdentityFormValueEvaluator] |
||
---|---|---|---|
Line 1: | Line 1: | ||
===== Authorization policies ===== | ===== Authorization policies ===== | ||
- | {{tag> security authorization role policy }} | + | {{tag> security authorization role policy |
An authorization policy determines which permissions a user in CzechIdM has. | An authorization policy determines which permissions a user in CzechIdM has. | ||
Line 79: | Line 79: | ||
* '' | * '' | ||
+ | |||
+ | |||
+ | ==== Identity role==== | ||
+ | |||
+ | * '' | ||
===== Base authorization evaluators ===== | ===== Base authorization evaluators ===== | ||
Line 131: | Line 136: | ||
=== Parameters === | === Parameters === | ||
* **Can be requested only** ('' | * **Can be requested only** ('' | ||
+ | |||
+ | <note tip>If you want to enable copying all assigned roles (the same behavior < @9.7.12), then configure '' | ||
Line 231: | Line 238: | ||
* **By permission to update user** ('' | * **By permission to update user** ('' | ||
* **By permission to read user** ('' | * **By permission to read user** ('' | ||
+ | |||
+ | ==== IdentityContractFormValueEvaluator ==== | ||
+ | |||
+ | @since 10.2.0 | ||
+ | |||
+ | <note tip> | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | Permissions to contract form attribute values. By definition (main if not specified) and attrinute codes (all if not specified). | ||
+ | Configure permissions for form definitions together with this evaluator - '' | ||
+ | |||
+ | === Parameters === | ||
+ | * **Form definition** ('' | ||
+ | * **Attributes** ('' | ||
+ | * **By permission to update contract** ('' | ||
+ | * **By permission to read contract** ('' | ||
+ | |||
==== RoleCatalogueRoleByRoleEvaluator ==== | ==== RoleCatalogueRoleByRoleEvaluator ==== | ||
Line 316: | Line 341: | ||
* Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | ||
* Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator | * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator | ||
+ | * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12) | ||
* Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator | ||
* Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | ||
Line 342: | Line 368: | ||
<note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity '' | <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity '' | ||
+ | |||
+ | <note tip>From version 9.7.12 it's required '' | ||
==== Settings of permissions for the Helpdesk role ==== | ==== Settings of permissions for the Helpdesk role ==== | ||
Line 388: | Line 416: | ||
* Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, | * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, | ||
* Permission to update phone attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition, enter ' | * Permission to update phone attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition, enter ' | ||
+ | |||
+ | ==== Settings which enable skipping of the role approvement ==== | ||
+ | |||
+ | Assignment of roles is normally approved by the standard [[devel: | ||
+ | * Permission to directly execute role requests: Role requests (IdmRoleRequest) | Execute | BasePermissionEvaluator | ||
===== Employing policies for a new domain type - entity ===== | ===== Employing policies for a new domain type - entity ===== |