Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:security:dev:authorization [2020/03/26 20:05] tomiskar [IdentityFormValueEvaluator] |
devel:documentation:security:dev:authorization [2020/04/21 12:04] tomiskar [Default settings of permissions for an identity profile] |
||
---|---|---|---|
Line 73: | Line 73: | ||
* '' | * '' | ||
* '' | * '' | ||
+ | * '' | ||
* '' | * '' | ||
* '' | * '' | ||
Line 113: | Line 114: | ||
==== SubordinatesEvaluator ==== | ==== SubordinatesEvaluator ==== | ||
- | A permission for identities | + | A permission for contracts |
+ | |||
+ | ==== SubordinateContractEvaluator ==== | ||
+ | |||
+ | @since 10.3.0 | ||
+ | |||
+ | A permission for identities which are my subordinate contracts. [[..: | ||
==== IdentityContractByIdentityEvaluator ==== | ==== IdentityContractByIdentityEvaluator ==== | ||
Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. '' | Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. '' | ||
+ | |||
+ | <note warning> | ||
+ | |||
+ | ==== IdentityByContractEvaluator ==== | ||
+ | |||
+ | @since 10.3.0 | ||
+ | |||
+ | Gives a permission for identity according to the permission for identity contract => e.g. if I have a permission to read an contract, I have a permission to read its identity. | ||
+ | |||
+ | <note warning> | ||
==== ContractGuaranteeByIdentityContractEvaluator ==== | ==== ContractGuaranteeByIdentityContractEvaluator ==== | ||
Line 126: | Line 143: | ||
Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. '' | Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. '' | ||
+ | |||
+ | ==== IdentityRoleByContractEvaluator ==== | ||
+ | |||
+ | @since 10.3.0 | ||
+ | |||
+ | Gives a permission for assigned roles according to the permission for the contract => e.g. If I have a permission to read an contract, I have a permission to read its assigned roles. '' | ||
==== IdentityRoleByRoleEvaluator ==== | ==== IdentityRoleByRoleEvaluator ==== | ||
Line 361: | Line 384: | ||
* Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator | * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator | ||
* Connected systems | Displaying in autocomplete, | * Connected systems | Displaying in autocomplete, | ||
+ | * Scheduler (IdmLongRunningTask) | Displaying in autocomplete, | ||
* Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place. | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place. | ||
* Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, | * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, | ||
- | |||
- | If you want to enable the managers of the users to read their subordinates and change their permissions, | ||
- | * Users (IdmIdentity) | Manage authorizations, | ||
<note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity '' | <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity '' | ||
<note tip>From version 9.7.12 it's required '' | <note tip>From version 9.7.12 it's required '' | ||
+ | |||
+ | === Manager and subordinates === | ||
+ | |||
+ | If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: | ||
+ | * **remove** following **permissions** from the userRole: | ||
+ | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | **IdentityContractByIdentityEvaluator** | ||
+ | * **add** following **permissions** to the userRole: | ||
+ | * Users (IdmIdentity) | View in select box (autocomplete), | ||
+ | * Contracts (IdmIdentityContract) | View in select box (autocomplete), | ||
+ | * Users (IdmIdentity) | - | **IdentityByContractEvaluator** | ||
+ | * Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator** | ||
+ | |||
+ | <note tip>This configuration is available from version 10.3.0. If you are using some older version, then no permissions have to be removed and add one permission instead: | ||
+ | * Users (IdmIdentity) | View in select box (autocomplete), | ||
+ | |||
+ | **With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0. | ||
+ | </ | ||
==== Settings of permissions for the Helpdesk role ==== | ==== Settings of permissions for the Helpdesk role ==== | ||
Line 410: | Line 448: | ||
* Permission to admin code list extended attributes: Forms - attributes (IdmFormAttribute) | - | [[# | * Permission to admin code list extended attributes: Forms - attributes (IdmFormAttribute) | - | [[# | ||
- | ==== Secure | + | ==== Settings of permissions of identity form (extended) attribute values ==== |
- | If we want to enable for currently logged identity update | + | If we want to enable for currently logged identity |
- | * Enable authorization policies support for identity form values by [[..: | + | |
* Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, | * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, | ||
- | * Permission to update phone attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition, enter ' | + | * Permission to update |
+ | * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will don't get permissions to edit other users. | ||
+ | |||
+ | ==== Settings of permissions of contract form (extended) attribute values ==== | ||
+ | |||
+ | If we want to enable for currently logged identity read / update for some contract form attributes (e.g. '' | ||
+ | * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, | ||
+ | * Permission to update '' | ||
==== Settings which enable skipping of the role approvement ==== | ==== Settings which enable skipping of the role approvement ==== |