Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:security:dev:authorization [2019/11/13 07:19] tomiskar [IdentityRoleByIdentityEvaluator] |
devel:documentation:security:dev:authorization [2022/03/29 07:50] doischert [ReportByReportTypeEvaluator] |
||
---|---|---|---|
Line 1: | Line 1: | ||
===== Authorization policies ===== | ===== Authorization policies ===== | ||
- | {{tag> security authorization role policy }} | + | {{tag> security authorization role policy |
An authorization policy determines which permissions a user in CzechIdM has. | An authorization policy determines which permissions a user in CzechIdM has. | ||
Line 36: | Line 36: | ||
* '' | * '' | ||
* '' | * '' | ||
- | * '' | + | * '' |
< | < | ||
* '' | * '' | ||
<note important> | <note important> | ||
* '' | * '' | ||
+ | * **'' | ||
+ | * **'' | ||
* '' | * '' | ||
* '' | * '' | ||
- | * '' | + | * '' |
- | * '' | + | * '' |
- | * '' | + | |
- | * '' | + | |
- | * '' | + | |
* '' | * '' | ||
* loads all the active policies according to the assigned user roles | * loads all the active policies according to the assigned user roles | ||
Line 72: | Line 71: | ||
* '' | * '' | ||
- | * '' | ||
* '' | * '' | ||
* '' | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
==== Role==== | ==== Role==== | ||
* '' | * '' | ||
+ | * '' | ||
+ | |||
+ | ==== Identity role==== | ||
+ | |||
+ | * '' | ||
+ | |||
+ | ==== Identity contract ==== | ||
+ | |||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | ===== Cache ===== | ||
+ | |||
+ | Cache is used for evaluating authorization policies and permissions by '' | ||
+ | |||
+ | * **'' | ||
+ | * **'' | ||
===== Base authorization evaluators ===== | ===== Base authorization evaluators ===== | ||
Line 89: | Line 113: | ||
Serves as a parent for evaluating permissions according to the derived objects - for example, I have a permission for the assigned role if I have a permission for the identity, etc. See the children of this abstract class below ('' | Serves as a parent for evaluating permissions according to the derived objects - for example, I have a permission for the assigned role if I have a permission for the identity, etc. See the children of this abstract class below ('' | ||
+ | |||
+ | === Parameters === | ||
+ | * **Use permissions** ('' | ||
==== BasePermissionEvaluator ==== | ==== BasePermissionEvaluator ==== | ||
Line 105: | Line 132: | ||
Gives currently logged user a permission to work with his own identity. | Gives currently logged user a permission to work with his own identity. | ||
+ | |||
+ | ==== IdentityByFormProjectionEvaluator ==== | ||
+ | |||
+ | @since 10.3.0 | ||
+ | |||
+ | A permission for identities by user type. | ||
+ | |||
+ | === Parameters === | ||
+ | * **User type** ('' | ||
==== SubordinatesEvaluator ==== | ==== SubordinatesEvaluator ==== | ||
- | A permission for identities | + | A permission for contracts |
+ | |||
+ | ==== SubordinateContractEvaluator ==== | ||
+ | |||
+ | @since 10.3.0 | ||
+ | |||
+ | A permission for identities which are my subordinate contracts. [[..: | ||
==== IdentityContractByIdentityEvaluator ==== | ==== IdentityContractByIdentityEvaluator ==== | ||
Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. '' | Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. '' | ||
+ | |||
+ | === Parameters === | ||
+ | * **Use permissions** ('' | ||
+ | |||
+ | <note warning> | ||
+ | |||
+ | ==== IdentityByContractEvaluator ==== | ||
+ | |||
+ | @since 10.3.0 | ||
+ | |||
+ | Gives a permission for identity according to the permission for identity contract => e.g. if I have a permission to read an contract, I have a permission to read its identity. | ||
+ | |||
+ | <note warning> | ||
==== ContractGuaranteeByIdentityContractEvaluator ==== | ==== ContractGuaranteeByIdentityContractEvaluator ==== | ||
Line 121: | Line 176: | ||
Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. '' | Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. '' | ||
+ | |||
+ | ==== IdentityRoleByContractEvaluator ==== | ||
+ | |||
+ | @since 10.3.0 | ||
+ | |||
+ | Gives a permission for assigned roles according to the permission for the contract => e.g. If I have a permission to read an contract, I have a permission to read its assigned roles. '' | ||
==== IdentityRoleByRoleEvaluator ==== | ==== IdentityRoleByRoleEvaluator ==== | ||
Line 131: | Line 192: | ||
=== Parameters === | === Parameters === | ||
* **Can be requested only** ('' | * **Can be requested only** ('' | ||
+ | |||
+ | <note tip>If you want to enable copying all assigned roles (the same behavior < @9.7.12), then configure '' | ||
Line 140: | Line 203: | ||
This evaluator solves both ways (or). | This evaluator solves both ways (or). | ||
+ | |||
+ | Evaluator can be used for UC, when role guarantee can assign his roles to users (@since 11.1.0). The authorization policies have to be set as follows: | ||
+ | * Permission to work with guaranteed roles: Roles (IdmRole) | View in select box (autocomplete), | ||
+ | * Permission to all identities: Users (IdmIdentity) | Read | BasePermissionEvaluator | ||
+ | * Permission to assign new role to all contracts: Contracted positions (IdmIdentityContract) | Can be requested | BasePermissionEvaluator | ||
+ | * Permission to read all assigned roles: Assigned roles (IdmIdentityRole) | - | IdentityRoleByIdentityEvaluator | ||
+ | * Permission to assign guaranteed roles: Assigned roles (IdmIdentityRole) | **Can be requested only:true** | IdentityRoleByRoleEvaluator | ||
==== AuthorizationPolicyByRoleEvaluator ==== | ==== AuthorizationPolicyByRoleEvaluator ==== | ||
Line 196: | Line 266: | ||
Gives a permission for code list items according to the permission for the code list => e.g. If I have a permission to read a code list, I have a permission to read its items. | Gives a permission for code list items according to the permission for the code list => e.g. If I have a permission to read a code list, I have a permission to read its items. | ||
+ | |||
+ | ==== CodeListItemByCodeEvaluator ==== | ||
+ | |||
+ | @since 10.3.0 | ||
+ | |||
+ | Gives a permission for code list items according to the permission for the code list and item codes. | ||
+ | |||
+ | === Parameters === | ||
+ | * **Code list** ('' | ||
+ | * **Items** ('' | ||
==== VsRequestByImplementerEvaluator ==== | ==== VsRequestByImplementerEvaluator ==== | ||
Line 208: | Line 288: | ||
For show identity-accounts only for identities witch have permissions on the accounts. With this evaluator can user show and edit only identity-accounts where is owner for the accounts. | For show identity-accounts only for identities witch have permissions on the accounts. With this evaluator can user show and edit only identity-accounts where is owner for the accounts. | ||
+ | |||
+ | ==== ReportByReportTypeEvaluator ==== | ||
+ | |||
+ | @since 12.2.0 Gives currently logged identity permission to work with a specified report. The report is specified by executor name (e. g., ' | ||
+ | |||
==== SelfReportEvaluator ==== | ==== SelfReportEvaluator ==== | ||
Line 231: | Line 316: | ||
* **By permission to update user** ('' | * **By permission to update user** ('' | ||
* **By permission to read user** ('' | * **By permission to read user** ('' | ||
+ | |||
+ | ==== IdentityContractFormValueEvaluator ==== | ||
+ | |||
+ | @since 10.2.0 | ||
+ | |||
+ | <note tip> | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | Permissions to contract form attribute values. By definition (main if not specified) and attrinute codes (all if not specified). | ||
+ | Configure permissions for form definitions together with this evaluator - '' | ||
+ | |||
+ | === Parameters === | ||
+ | * **Form definition** ('' | ||
+ | * **Attributes** ('' | ||
+ | * **By permission to update contract** ('' | ||
+ | * **By permission to read contract** ('' | ||
+ | |||
==== RoleCatalogueRoleByRoleEvaluator ==== | ==== RoleCatalogueRoleByRoleEvaluator ==== | ||
Line 296: | Line 399: | ||
Permissions to identity roles. User can manipulate with his own roles. With basic settings for user you dont need this, beacause exist evaluator **IdentityRoleByIdentityEvaluator** and every identity can read all roles for identities that can read. | Permissions to identity roles. User can manipulate with his own roles. With basic settings for user you dont need this, beacause exist evaluator **IdentityRoleByIdentityEvaluator** and every identity can read all roles for identities that can read. | ||
+ | ==== SelfContractEvaluator ==== | ||
+ | |||
+ | @since 10.4.0 | ||
+ | |||
+ | Permissions to contracts. User can manipulate with his own contracts. | ||
==== Universal request agenda (IdmRequest - evaluators) ==== | ==== Universal request agenda (IdmRequest - evaluators) ==== | ||
[[devel: | [[devel: | ||
+ | |||
+ | ==== RoleByRoleCatalogueEvaluator ==== | ||
+ | @since 10.3.0 for **LTS version** is available similar evaluator in [[devel: | ||
+ | |||
+ | Documentation for the evaluator is available [[devel: | ||
+ | |||
+ | ==== IdentityByTreeNodeEvaluator ==== | ||
+ | @since 10.3.0 for **LTS version** is available similar evaluator in [[devel: | ||
+ | |||
+ | Documentation for the evaluator is available [[devel: | ||
+ | |||
===== Default policies ===== | ===== Default policies ===== | ||
Line 304: | Line 423: | ||
- | < | + | < |
===== Examples of configuration ===== | ===== Examples of configuration ===== | ||
Line 313: | Line 432: | ||
If we want to read an identity profile including its assigned roles and IR, to enable password change and to request roles, it is possible to set the default role authorization policies as follows: | If we want to read an identity profile including its assigned roles and IR, to enable password change and to request roles, it is possible to set the default role authorization policies as follows: | ||
- | * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, | + | * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, |
* Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | ||
- | * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator | + | * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator |
- | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator | + | * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | **Can be requested only: true** | IdentityRoleByRoleEvaluator |
+ | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: | ||
* Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | ||
* Permission to read guarantees of IR: Industrial relation guarantees (IdmContractGuarantee) | - | ContractGuaranteeByIdentityContractEvaluator | * Permission to read guarantees of IR: Industrial relation guarantees (IdmContractGuarantee) | - | ContractGuaranteeByIdentityContractEvaluator | ||
Line 325: | Line 445: | ||
* Permission to read and change indetity profile: Identity profile (IdmProfile) | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0) | * Permission to read and change indetity profile: Identity profile (IdmProfile) | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0) | ||
* Enabling the autocomplete for entities: | * Enabling the autocomplete for entities: | ||
- | * User profile (picture) (IdmProfile) | Displaying in autocomplete, | ||
* Users (IdmIdentity) | Displaying in autocomplete, | * Users (IdmIdentity) | Displaying in autocomplete, | ||
+ | * User profile (picture) (IdmProfile) | Displaying in autocomplete, | ||
* Role (IdmRole) | Displaying in autocomplete, | * Role (IdmRole) | Displaying in autocomplete, | ||
* Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, | * Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, | ||
Line 335: | Line 455: | ||
* Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator | * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator | ||
* Connected systems | Displaying in autocomplete, | * Connected systems | Displaying in autocomplete, | ||
- | | + | |
- | * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions | + | * Code lists (IdmCodeList) | Displaying |
- | + | * Code lists - items (IdmCodeListItem) | Displaying in autocomplete, | |
- | If you want to enable the managers of the users to read their subordinates | + | * Permission |
- | * Users (IdmIdentity) | Manage authorizations, | + | |
<note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity '' | <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity '' | ||
+ | |||
+ | <note tip>From version 9.7.12 it's required '' | ||
+ | |||
+ | === Manager and subordinates === | ||
+ | |||
+ | If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: | ||
+ | * **add** following **permissions** to the userRole: | ||
+ | * Users (IdmIdentity) | View in select box (autocomplete), | ||
+ | * Contracts (IdmIdentityContract) | View in select box (autocomplete), | ||
+ | * Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator** | ||
+ | |||
+ | <note tip>This configuration is available from version 10.3.0. If you are using some older version, add one permission instead: | ||
+ | * Users (IdmIdentity) | View in select box (autocomplete), | ||
+ | |||
+ | **With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0. | ||
+ | </ | ||
+ | |||
+ | ==== Default settings of permissions for delegations ==== | ||
+ | |||
+ | Default settings of permissions for delegations are defined in the role ' | ||
+ | |||
+ | <note tip>You can see a detailed configuration of evaluators with comments here: | ||
+ | [[https:// | ||
+ | |InitDelegationRoleProcessor]]</ | ||
==== Settings of permissions for the Helpdesk role ==== | ==== Settings of permissions for the Helpdesk role ==== | ||
Line 352: | Line 495: | ||
* Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator | * Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator | ||
+ | ==== Settings of permissions for virtual system implementer | ||
+ | |||
+ | The virtual system implementer (~approver) role should have following additional permissions: | ||
+ | * Permission to admin virtual system requests: Requests on virtual systems (VsRequest ) | Administration (all) | VsRequestByImplementerEvaluator | ||
==== Default settings of permissions for a role detail ==== | ==== Default settings of permissions for a role detail ==== | ||
Line 360: | Line 507: | ||
* Role authorizers - by role (IdmRoleGuaranteeRole) | - | RoleGuaranteeRoleByRoleEvaluator | * Role authorizers - by role (IdmRoleGuaranteeRole) | - | RoleGuaranteeRoleByRoleEvaluator | ||
* Permission to read automatic roles (tree) by role: Automatic roles (IdmRoleTreeNode) | - | RoleTreeNodeByRoleEvaluator | * Permission to read automatic roles (tree) by role: Automatic roles (IdmRoleTreeNode) | - | RoleTreeNodeByRoleEvaluator | ||
+ | * Permission to autocomplete automatic roles (tree): Automatic roles (IdmRoleTreeNode) | Displaying in autocomplete, | ||
* Permission to read automatic roles (attributes) by role: | * Permission to read automatic roles (attributes) by role: | ||
- | * Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Read | BasePermissionEvaluator | + | * Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Displaying in autocomplete, |
* Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule)| Read | BasePermissionEvaluator | * Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule)| Read | BasePermissionEvaluator | ||
* Permissions to read request for automatic roles (both): | * Permissions to read request for automatic roles (both): | ||
* Requests for automatic roles (IdmAutomaticRoleRequest) | Read | BasePermissionEvaluator | * Requests for automatic roles (IdmAutomaticRoleRequest) | Read | BasePermissionEvaluator | ||
* Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | - | AutomaticRoleRuleRequestByRequestEvaluator | * Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | - | AutomaticRoleRuleRequestByRequestEvaluator | ||
+ | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update | AutomaticRoleRequestByWfInvolvedIdentityEvaluator. For create new or delete an automatic role request add another evaluator (for example BasePermissionEvaluator to choosed users). Add also autocomplete permission to IdmAutomaticRoleAttribute (if you use automatic roles by attributes) and IdmRoleTreeNode (if you use automatic roles by organizations.). | ||
* Permission to read permissions by role: Permission (IdmAuthorizationPolicy) | - | AuthorizationPolicyByRoleEvaluator | * Permission to read permissions by role: Permission (IdmAuthorizationPolicy) | - | AuthorizationPolicyByRoleEvaluator | ||
* Permission to read accounts: Accounts in system | Read | BasePermissionEvaluator | * Permission to read accounts: Accounts in system | Read | BasePermissionEvaluator | ||
Line 373: | Line 522: | ||
* Business roles definition (IdmRoleComposition) | - | [[# | * Business roles definition (IdmRoleComposition) | - | [[# | ||
* Business roles definition (IdmRoleComposition) | - | [[# | * Business roles definition (IdmRoleComposition) | - | [[# | ||
+ | * Permission to autocomplete form definitions: | ||
* Role attributes (subdefnition) (IdmRoleFormAttribute) | - | RoleFormAttributeByRoleEvaluator | * Role attributes (subdefnition) (IdmRoleFormAttribute) | - | RoleFormAttributeByRoleEvaluator | ||
Line 382: | Line 532: | ||
* Permission to admin code list extended attributes: Forms - attributes (IdmFormAttribute) | - | [[# | * Permission to admin code list extended attributes: Forms - attributes (IdmFormAttribute) | - | [[# | ||
- | ==== Secure | + | ==== Settings of permissions of identity basic attributes ==== |
+ | |||
+ | If we want to enable for currently logged identity change all basic identity attributes (e.g. login, first name, surname), the authorization policies can be set as follows: | ||
+ | * Permission to update identity and attributes: Users (IdmIdentity) | **Update**, Change phone, Change personal number, Change note, Change login, Change user type (projection), | ||
+ | |||
+ | <note tip>Can be combined with [[# | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | ==== Settings of permissions of identity form (extended) attribute values | ||
+ | |||
+ | If we want to enable for currently logged identity read / update for some form attributes (e.g '' | ||
+ | * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, | ||
+ | * Permission to update '' | ||
+ | * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will not get permissions to edit other users. | ||
+ | |||
+ | ==== Settings of permissions of contract form (extended) attribute values ==== | ||
+ | |||
+ | If we want to enable for currently logged identity read / update for some contract form attributes (e.g. '' | ||
+ | * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, | ||
+ | * Permission to update '' | ||
+ | |||
+ | |||
+ | ==== Settings which enable skipping of the role approvement | ||
- | If we want to enable for currently logged identity update only for some form attributes (e.g phone) from some form definition (e.g. from main definition) on identity detail (tab more information), | + | Assignment of roles is normally approved by the standard [[devel: |
- | * Enable authorization policies support | + | * Permission to directly execute role requests: Role requests |
- | * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, | + | |
- | * Permission to update phone attribute: Forms - values | + | |
===== Employing policies for a new domain type - entity ===== | ===== Employing policies for a new domain type - entity ===== |