Differences

This shows you the differences between two versions of the page.

--- devel:documentation:security:dev:authorization [2019/11/13 07:39]
tomiskar [Default settings of permissions for an identity profile]
+++ devel:documentation:security:dev:authorization [2020/03/26 20:05]
tomiskar [IdentityFormValueEvaluator]
@@ Line 1: / Line 1: @@
 ===== Authorization policies =====
-{{tag> security authorization role policy }}
+{{tag> security authorization role policy default user role permissions }}
 An authorization policy determines which permissions a user in CzechIdM has.
@@ Line 238: / Line 238: @@
   * **By permission to update user** (''owner-update'') - Add permission to attributes of users, which can be updated by the logged user (for example, when logged user can update identity, then he can update attributes too).
   * **By permission to read user** (''owner-read'') - Add permission to attributes of users, which can be read by the logged user (for example, when logged user can read identity, then he can update attributes).
+==== IdentityContractFormValueEvaluator ====
+@since 10.2.0
+<note tip>Since version **10.2.0**, it is possible to define permissions not only for contract as a whole, but also for **individual attributes**. This means that it is now possible for one user to view (or edit) all his attributes, and only one attribute for the other.</note>
+<note important>The permissions control for a particular attribute is now only available for extended attributes (EAV).</note>
+Permissions to contract form attribute values. By definition (main if not specified) and attrinute codes (all if not specified).
+Configure permissions for form definitions together with this evaluator - ''FORMDEFINITION_AUTOCOMPLETE'' is needed for read / update form values in this definition.
+=== Parameters ===
+  * **Form definition** (''form-definition'') - Select definition, which contains attributes. Main definition will be used as default.
+  * **Attributes** (''attributes'') - Add permission to attributes. All attributes from selected form definition will be used as default. All attributes or attribute codes (use comma as separator).
+  * **By permission to update contract** (''owner-update'') - Add permission to attributes of contracts, which can be updated by the logged user (for example, when logged user can update contract, then he can update attributes too).
+  * **By permission to read contract** (''owner-read'') - Add permission to attributes of contracts, which can be read by the logged user (for example, when logged user can read contract, then he can update attributes).
 ==== RoleCatalogueRoleByRoleEvaluator ====
@@ Line 398: / Line 416: @@
   * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for identities) identifier
   * Permission to update phone attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition, enter 'phone' as attributes and check logged user only checkbox.
+==== Settings which enable skipping of the role approvement ====
+Assignment of roles is normally approved by the standard [[devel:documentation:role_change|approval process]]. The approval process may be skipped by executing the bulk action for [[tutorial:adm:identities_bulk_actions#roles_assignment|Role assignment]] with unchecked Approve, but only if the user has the following permission:
+  * Permission to directly execute role requests: Role requests (IdmRoleRequest) | Execute | BasePermissionEvaluator
 ===== Employing policies for a new domain type - entity =====