Differences

This shows you the differences between two versions of the page.

--- devel:documentation:security:dev:authorization [2019/11/13 07:28]
tomiskar [IdentityRoleByRoleEvaluator]
+++ devel:documentation:security:dev:authorization [2020/03/30 12:51]
tomiskar [Identity]
@@ Line 1: / Line 1: @@
 ===== Authorization policies =====
-{{tag> security authorization role policy }}
+{{tag> security authorization role policy default user role permissions }}
 An authorization policy determines which permissions a user in CzechIdM has.
@@ Line 73: / Line 73: @@
   * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed.
   * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
+  * ''CHANGEPROJECTION'' - @since 10.2.0 - Change identity form projection.
   * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button.
   * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button.
@@ Line 79: / Line 80: @@
   * ''CANBEREQUESTED'' - role, which can be requested. Used in role request and bulk actions for assign role.
+==== Identity role====
+  * ''CANBEREQUESTED'' - role, which can be requested. Used in copying assigned roles by other identity.
 ===== Base authorization evaluators =====
@@ Line 233: / Line 239: @@
   * **By permission to update user** (''owner-update'') - Add permission to attributes of users, which can be updated by the logged user (for example, when logged user can update identity, then he can update attributes too).
   * **By permission to read user** (''owner-read'') - Add permission to attributes of users, which can be read by the logged user (for example, when logged user can read identity, then he can update attributes).
+==== IdentityContractFormValueEvaluator ====
+@since 10.2.0
+<note tip>Since version **10.2.0**, it is possible to define permissions not only for contract as a whole, but also for **individual attributes**. This means that it is now possible for one user to view (or edit) all his attributes, and only one attribute for the other.</note>
+<note important>The permissions control for a particular attribute is now only available for extended attributes (EAV).</note>
+Permissions to contract form attribute values. By definition (main if not specified) and attrinute codes (all if not specified).
+Configure permissions for form definitions together with this evaluator - ''FORMDEFINITION_AUTOCOMPLETE'' is needed for read / update form values in this definition.
+=== Parameters ===
+  * **Form definition** (''form-definition'') - Select definition, which contains attributes. Main definition will be used as default.
+  * **Attributes** (''attributes'') - Add permission to attributes. All attributes from selected form definition will be used as default. All attributes or attribute codes (use comma as separator).
+  * **By permission to update contract** (''owner-update'') - Add permission to attributes of contracts, which can be updated by the logged user (for example, when logged user can update contract, then he can update attributes too).
+  * **By permission to read contract** (''owner-read'') - Add permission to attributes of contracts, which can be read by the logged user (for example, when logged user can read contract, then he can update attributes).
 ==== RoleCatalogueRoleByRoleEvaluator ====
@@ Line 318: / Line 342: @@
   * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator
   * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator
+  * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12)
   * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator
   * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator
@@ Line 344: / Line 369: @@
 <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity ''UPDATE''. But exits own permissions for each operation (''MANUALLYDISABLE'' or ''MANUALLYENABLE'')</note>
+<note tip>From version 9.7.12 it's required ''CANBEREQUESTED'' permission for copying roles into request by other identity.</note>
 ==== Settings of permissions for the Helpdesk role ====
@@ Line 386: / Line 413: @@
 ==== Secure identity form (extended) attribute values ====
-If we want to enable for currently logged identity update only for some form attributes (e.g phone) from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows:
+If we want to enable for currently logged identity update only for some form attributes (e.g ''phone'') from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows:
   * Enable authorization policies support for identity form values by [[..:..:application_configuration:dev:backend#identity|configuration]].
   * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for identities) identifier
-  * Permission to update phone attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition, enter 'phone' as attributes and check logged user only checkbox.
+  * Permission to update ''phone'' attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition same as above, enter ''phone'' as attributes
+  * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will don't get permissions to edit other users.
+==== Secure contract form (extended) attribute values ====
+If we want to enable for currently logged identity update only for some contract form attributes (e.g. ''other manager'') from some form definition (e.g. from main definition) on contract detail (tab more information), the authorization policies have to be be set as follows:
+  * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for contracts) identifier
+  * Permission to update ''other manager'' attribute: Forms - values (IdmIdentityContractFormValue) | Read, Update | IdentityContractFormValueEvaluator - select form definition same as above and enter ''other manager'' as attributes.
+==== Settings which enable skipping of the role approvement ====
+Assignment of roles is normally approved by the standard [[devel:documentation:role_change|approval process]]. The approval process may be skipped by executing the bulk action for [[tutorial:adm:identities_bulk_actions#roles_assignment|Role assignment]] with unchecked Approve, but only if the user has the following permission:
+  * Permission to directly execute role requests: Role requests (IdmRoleRequest) | Execute | BasePermissionEvaluator
 ===== Employing policies for a new domain type - entity =====