Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:security:dev:authorization [2020/01/30 14:18]
apeterova skip role approve permission 		devel:documentation:security:dev:authorization [2020/03/27 08:56]
tomiskar [Secure identity form (extended) attribute values]
Line 1: Line 1:
 ===== Authorization policies ===== ===== Authorization policies =====
  
-{{tag> security authorization role policy }}+{{tag> security authorization role policy default user role permissions }}
  
 An authorization policy determines which permissions a user in CzechIdM has. An authorization policy determines which permissions a user in CzechIdM has.
Line 238: Line 238:
   * **By permission to update user** (''owner-update'') - Add permission to attributes of users, which can be updated by the logged user (for example, when logged user can update identity, then he can update attributes too).   * **By permission to update user** (''owner-update'') - Add permission to attributes of users, which can be updated by the logged user (for example, when logged user can update identity, then he can update attributes too).
   * **By permission to read user** (''owner-read'') - Add permission to attributes of users, which can be read by the logged user (for example, when logged user can read identity, then he can update attributes).   * **By permission to read user** (''owner-read'') - Add permission to attributes of users, which can be read by the logged user (for example, when logged user can read identity, then he can update attributes).
 +
 +==== IdentityContractFormValueEvaluator ====
 +
 +@since 10.2.0
 +
 +<note tip>Since version **10.2.0**, it is possible to define permissions not only for contract as a whole, but also for **individual attributes**. This means that it is now possible for one user to view (or edit) all his attributes, and only one attribute for the other.</note>
 +
 +<note important>The permissions control for a particular attribute is now only available for extended attributes (EAV).</note>
 +
 +Permissions to contract form attribute values. By definition (main if not specified) and attrinute codes (all if not specified).
 +Configure permissions for form definitions together with this evaluator - ''FORMDEFINITION_AUTOCOMPLETE'' is needed for read / update form values in this definition.
 +
 +=== Parameters ===
 +  * **Form definition** (''form-definition'') - Select definition, which contains attributes. Main definition will be used as default.
 +  * **Attributes** (''attributes'') - Add permission to attributes. All attributes from selected form definition will be used as default. All attributes or attribute codes (use comma as separator).
 +  * **By permission to update contract** (''owner-update'') - Add permission to attributes of contracts, which can be updated by the logged user (for example, when logged user can update contract, then he can update attributes too).
 +  * **By permission to read contract** (''owner-read'') - Add permission to attributes of contracts, which can be read by the logged user (for example, when logged user can read contract, then he can update attributes).
 +
  
 ==== RoleCatalogueRoleByRoleEvaluator ==== ==== RoleCatalogueRoleByRoleEvaluator ====
Line 394: Line 412:
 ==== Secure identity form (extended) attribute values ==== ==== Secure identity form (extended) attribute values ====
  
-If we want to enable for currently logged identity update only for some form attributes (e.g phone) from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows:+If we want to enable for currently logged identity update only for some form attributes (e.g ''phone'') from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows:
   * Enable authorization policies support for identity form values by [[..:..:application_configuration:dev:backend#identity|configuration]].   * Enable authorization policies support for identity form values by [[..:..:application_configuration:dev:backend#identity|configuration]].
   * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for identities) identifier   * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for identities) identifier
-  * Permission to update phone attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition, enter 'phone' as attributes and check logged user only checkbox.+  * Permission to update ''phone'' attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition same as above, enter ''phone'' as attributes 
 +  * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will don't get permissions to edit other users. 
 + 
 +==== Secure contract form (extended) attribute values ==== 
 + 
 +If we want to enable for currently logged identity update only for some contract form attributes (e.g. ''other manager'') from some form definition (e.g. from main definition) on contract detail (tab more information), the authorization policies have to be be set as follows: 
 +  * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for contracts) identifier 
 +  * Permission to update ''other manager'' attribute: Forms - values (IdmIdentityContractFormValue) | Read, Update | IdentityContractFormValueEvaluator - select form definition same as above and enter ''other manager'' as attributes. 
  
 ==== Settings which enable skipping of the role approvement ==== ==== Settings which enable skipping of the role approvement ====
  • by koulaj