Both sides previous revision
Previous revision
Next revision
|
Previous revision
Next revision
Both sides next revision
|
devel:documentation:security:dev:authorization [2020/03/27 08:56] tomiskar [Secure identity form (extended) attribute values] |
devel:documentation:security:dev:authorization [2020/04/15 06:53] tomiskar |
* ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed. | * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed. |
* ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests. | * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests. |
| * ''CHANGEPROJECTION'' - @since 10.2.0 - Change identity form projection. |
* ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button. | * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button. |
* ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button. | * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button. |
==== SubordinatesEvaluator ==== | ==== SubordinatesEvaluator ==== |
| |
A permission for identities which are my subordinates. [[..:..:architecture:dev:filters#defaultsubordinatesfilter|Overloadable filters]] are used for evaluating subordinates or managers. | A permission for contracts which are my subordinates. [[..:..:architecture:dev:filters#defaultsubordinatesfilter|Overloadable filters]] are used for evaluating subordinates or managers. |
| |
| <note warning>Prevent to combine with ''SubordinateContractEvaluator '' - configure one of them. ''SubordinateContractEvaluator '' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note> |
| |
| ==== SubordinateContractEvaluator ==== |
| |
| @since 10.3.0 |
| |
| A permission for identities which are my subordinate contracts. [[..:..:architecture:dev:filters#defaultcontractbymanagerfilter|Overloadable filters]] are used for evaluating subordinate contracts or contract managers. |
| |
| <note warning>Prevent to combine with ''SubordinatesEvaluator '' - configure one of them. ''SubordinateContractEvaluator '' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note> |
| |
==== IdentityContractByIdentityEvaluator ==== | ==== IdentityContractByIdentityEvaluator ==== |
| |
Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. ''AbstractTransitiveEvaluator'' is used here. | Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. ''AbstractTransitiveEvaluator'' is used here. |
| |
| <note warning>Prevent to combine with ''IdentityByContractEvaluator'' - configure one of them. ''IdentityByContractEvaluator'' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note> |
| |
| ==== IdentityByContractEvaluator ==== |
| |
| @since 10.3.0 |
| |
| Gives a permission for identity according to the permission for identity contract => e.g. if I have a permission to read an contract, I have a permission to read its identity. |
| |
| <note warning>Prevent to combine with ''IdentityContractByIdentityEvaluator '' - configure one of them. ''IdentityByContractEvaluator'' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note> |
| |
==== ContractGuaranteeByIdentityContractEvaluator ==== | ==== ContractGuaranteeByIdentityContractEvaluator ==== |
| |
Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles. | Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles. |
| |
| ==== IdentityRoleByContractEvaluator ==== |
| |
| @since 10.3.0 |
| |
| Gives a permission for assigned roles according to the permission for the contract => e.g. If I have a permission to read an contract, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the contract, I have a permission to edit (add or delete) its assigned roles. Logged identity can see / edit roles assigned to managed contracts only. |
| |
==== IdentityRoleByRoleEvaluator ==== | ==== IdentityRoleByRoleEvaluator ==== |