Differences

This shows you the differences between two versions of the page.

--- devel:documentation:security:dev:authorization [2020/03/26 20:05]
tomiskar [IdentityFormValueEvaluator]
+++ devel:documentation:security:dev:authorization [2020/04/15 06:53]
tomiskar
@@ Line 73: / Line 73: @@
   * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed.
   * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
+  * ''CHANGEPROJECTION'' - @since 10.2.0 - Change identity form projection.
   * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button.
   * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button.
@@ Line 113: / Line 114: @@
 ==== SubordinatesEvaluator ====
-A permission for identities which are my subordinates. [[..:..:architecture:dev:filters#defaultsubordinatesfilter|Overloadable filters]] are used for evaluating subordinates or managers.
+A permission for contracts which are my subordinates. [[..:..:architecture:dev:filters#defaultsubordinatesfilter|Overloadable filters]] are used for evaluating subordinates or managers.
+<note warning>Prevent to combine with ''SubordinateContractEvaluator '' - configure one of them. ''SubordinateContractEvaluator '' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note>
+==== SubordinateContractEvaluator ====
+@since 10.3.0
+A permission for identities which are my subordinate contracts. [[..:..:architecture:dev:filters#defaultcontractbymanagerfilter|Overloadable filters]] are used for evaluating subordinate contracts or contract managers.
+<note warning>Prevent to combine with ''SubordinatesEvaluator '' - configure one of them. ''SubordinateContractEvaluator '' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note>
 ==== IdentityContractByIdentityEvaluator ====
 Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. ''AbstractTransitiveEvaluator'' is used here.
+<note warning>Prevent to combine with ''IdentityByContractEvaluator'' - configure one of them. ''IdentityByContractEvaluator'' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note>
+==== IdentityByContractEvaluator ====
+@since 10.3.0
+Gives a permission for identity according to the permission for identity contract => e.g. if I have a permission to read an contract, I have a permission to read its identity.
+<note warning>Prevent to combine with ''IdentityContractByIdentityEvaluator '' - configure one of them. ''IdentityByContractEvaluator'' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note>
 ==== ContractGuaranteeByIdentityContractEvaluator ====
@@ Line 126: / Line 147: @@
 Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles.
+==== IdentityRoleByContractEvaluator ====
+@since 10.3.0
+Gives a permission for assigned roles according to the permission for the contract => e.g. If I have a permission to read an contract, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the contract, I have a permission to edit (add or delete) its assigned roles. Logged identity can see / edit roles assigned to managed contracts only.
 ==== IdentityRoleByRoleEvaluator ====
@@ Line 412: / Line 439: @@
 ==== Secure identity form (extended) attribute values ====
-If we want to enable for currently logged identity update only for some form attributes (e.g phone) from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows:
+If we want to enable for currently logged identity update only for some form attributes (e.g ''phone'') from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows:
   * Enable authorization policies support for identity form values by [[..:..:application_configuration:dev:backend#identity|configuration]].
   * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for identities) identifier
-  * Permission to update phone attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition, enter 'phone' as attributes and check logged user only checkbox.
+  * Permission to update ''phone'' attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition same as above, enter ''phone'' as attributes
+  * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will don't get permissions to edit other users.
+==== Secure contract form (extended) attribute values ====
+If we want to enable for currently logged identity update only for some contract form attributes (e.g. ''other manager'') from some form definition (e.g. from main definition) on contract detail (tab more information), the authorization policies have to be be set as follows:
+  * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for contracts) identifier
+  * Permission to update ''other manager'' attribute: Forms - values (IdmIdentityContractFormValue) | Read, Update | IdentityContractFormValueEvaluator - select form definition same as above and enter ''other manager'' as attributes.
 ==== Settings which enable skipping of the role approvement ====