| Both sides previous revision
Previous revision
Next revision
|
Previous revision
Next revision
Both sides next revision
|
devel:documentation:security:dev:authorization [2020/03/03 15:59]
kopro add tags |
devel:documentation:security:dev:authorization [2020/04/15 06:44]
tomiskar [IdentityContractByIdentityEvaluator] |
| * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed. | * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed. |
| * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests. | * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests. |
| | * ''CHANGEPROJECTION'' - @since 10.2.0 - Change identity form projection. |
| * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button. | * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button. |
| * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button. | * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button. |
| |
| Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. ''AbstractTransitiveEvaluator'' is used here. | Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. ''AbstractTransitiveEvaluator'' is used here. |
| | |
| | <note warning>Prevent to combine with ''IdentityByContractEvaluator'' - configure one of them. ''IdentityByContractEvaluator'' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note> |
| | |
| | ==== IdentityByContractEvaluator ==== |
| | |
| | @since 10.3.0 |
| | |
| | Gives a permission for identity according to the permission for identity contract => e.g. if I have a permission to read an contract, I have a permission to read its identity. |
| | |
| | <note warning>Prevent to combine with ''IdentityContractByIdentityEvaluator '' - configure one of them. ''IdentityByContractEvaluator'' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note> |
| |
| ==== ContractGuaranteeByIdentityContractEvaluator ==== | ==== ContractGuaranteeByIdentityContractEvaluator ==== |
| * **By permission to update user** (''owner-update'') - Add permission to attributes of users, which can be updated by the logged user (for example, when logged user can update identity, then he can update attributes too). | * **By permission to update user** (''owner-update'') - Add permission to attributes of users, which can be updated by the logged user (for example, when logged user can update identity, then he can update attributes too). |
| * **By permission to read user** (''owner-read'') - Add permission to attributes of users, which can be read by the logged user (for example, when logged user can read identity, then he can update attributes). | * **By permission to read user** (''owner-read'') - Add permission to attributes of users, which can be read by the logged user (for example, when logged user can read identity, then he can update attributes). |
| | |
| | ==== IdentityContractFormValueEvaluator ==== |
| | |
| | @since 10.2.0 |
| | |
| | <note tip>Since version **10.2.0**, it is possible to define permissions not only for contract as a whole, but also for **individual attributes**. This means that it is now possible for one user to view (or edit) all his attributes, and only one attribute for the other.</note> |
| | |
| | <note important>The permissions control for a particular attribute is now only available for extended attributes (EAV).</note> |
| | |
| | Permissions to contract form attribute values. By definition (main if not specified) and attrinute codes (all if not specified). |
| | Configure permissions for form definitions together with this evaluator - ''FORMDEFINITION_AUTOCOMPLETE'' is needed for read / update form values in this definition. |
| | |
| | === Parameters === |
| | * **Form definition** (''form-definition'') - Select definition, which contains attributes. Main definition will be used as default. |
| | * **Attributes** (''attributes'') - Add permission to attributes. All attributes from selected form definition will be used as default. All attributes or attribute codes (use comma as separator). |
| | * **By permission to update contract** (''owner-update'') - Add permission to attributes of contracts, which can be updated by the logged user (for example, when logged user can update contract, then he can update attributes too). |
| | * **By permission to read contract** (''owner-read'') - Add permission to attributes of contracts, which can be read by the logged user (for example, when logged user can read contract, then he can update attributes). |
| | |
| |
| ==== RoleCatalogueRoleByRoleEvaluator ==== | ==== RoleCatalogueRoleByRoleEvaluator ==== |
| ==== Secure identity form (extended) attribute values ==== | ==== Secure identity form (extended) attribute values ==== |
| |
| If we want to enable for currently logged identity update only for some form attributes (e.g phone) from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows: | If we want to enable for currently logged identity update only for some form attributes (e.g ''phone'') from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows: |
| * Enable authorization policies support for identity form values by [[..:..:application_configuration:dev:backend#identity|configuration]]. | * Enable authorization policies support for identity form values by [[..:..:application_configuration:dev:backend#identity|configuration]]. |
| * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for identities) identifier | * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for identities) identifier |
| * Permission to update phone attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition, enter 'phone' as attributes and check logged user only checkbox. | * Permission to update ''phone'' attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition same as above, enter ''phone'' as attributes |
| | * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will don't get permissions to edit other users. |
| | |
| | ==== Secure contract form (extended) attribute values ==== |
| | |
| | If we want to enable for currently logged identity update only for some contract form attributes (e.g. ''other manager'') from some form definition (e.g. from main definition) on contract detail (tab more information), the authorization policies have to be be set as follows: |
| | * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for contracts) identifier |
| | * Permission to update ''other manager'' attribute: Forms - values (IdmIdentityContractFormValue) | Read, Update | IdentityContractFormValueEvaluator - select form definition same as above and enter ''other manager'' as attributes. |
| |
| ==== Settings which enable skipping of the role approvement ==== | ==== Settings which enable skipping of the role approvement ==== |