Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:security:dev:authorization [2020/03/27 08:56]
tomiskar [Secure identity form (extended) attribute values] 		devel:documentation:security:dev:authorization [2020/04/15 06:53]
tomiskar
Line 73: Line 73:
   * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed.   * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed.
   * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.   * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
 +  * ''CHANGEPROJECTION'' - @since 10.2.0 - Change identity form projection.
   * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button.   * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button.
   * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button.   * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button.
Line 113: Line 114:
 ==== SubordinatesEvaluator ==== ==== SubordinatesEvaluator ====
  
-A permission for identities which are my subordinates. [[..:..:architecture:dev:filters#defaultsubordinatesfilter|Overloadable filters]] are used for evaluating subordinates or managers.+A permission for contracts which are my subordinates. [[..:..:architecture:dev:filters#defaultsubordinatesfilter|Overloadable filters]] are used for evaluating subordinates or managers. 
 + 
 +<note warning>Prevent to combine with ''SubordinateContractEvaluator '' - configure one of them. ''SubordinateContractEvaluator '' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note> 
 + 
 +==== SubordinateContractEvaluator ==== 
 + 
 +@since 10.3.0 
 + 
 +A permission for identities which are my subordinate contracts. [[..:..:architecture:dev:filters#defaultcontractbymanagerfilter|Overloadable filters]] are used for evaluating subordinate contracts or contract managers. 
 + 
 +<note warning>Prevent to combine with ''SubordinatesEvaluator '' - configure one of them. ''SubordinateContractEvaluator '' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note>
  
 ==== IdentityContractByIdentityEvaluator ==== ==== IdentityContractByIdentityEvaluator ====
  
 Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. ''AbstractTransitiveEvaluator'' is used here. Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. ''AbstractTransitiveEvaluator'' is used here.
 +
 +<note warning>Prevent to combine with ''IdentityByContractEvaluator'' - configure one of them. ''IdentityByContractEvaluator'' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note>
 +
 +==== IdentityByContractEvaluator ====
 +
 +@since 10.3.0
 +
 +Gives a permission for identity according to the permission for identity contract => e.g. if I have a permission to read an contract, I have a permission to read its identity.
 +
 +<note warning>Prevent to combine with ''IdentityContractByIdentityEvaluator '' - configure one of them. ''IdentityByContractEvaluator'' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note>
  
 ==== ContractGuaranteeByIdentityContractEvaluator ==== ==== ContractGuaranteeByIdentityContractEvaluator ====
Line 126: Line 147:
  
 Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles. Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles.
 +
 +==== IdentityRoleByContractEvaluator ====
 +
 +@since 10.3.0
 +
 +Gives a permission for assigned roles according to the permission for the contract => e.g. If I have a permission to read an contract, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the contract, I have a permission to edit (add or delete) its assigned roles. Logged identity can see / edit roles assigned to managed contracts only.
  
 ==== IdentityRoleByRoleEvaluator ==== ==== IdentityRoleByRoleEvaluator ====
  • by koulaj