Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:security:dev:authorization [2020/03/30 12:50]
tomiskar [Identity] 		devel:documentation:security:dev:authorization [2020/08/25 10:44]
tomiskar [Default policies]
Line 41: Line 41:
 <note important>**Policies are assigned to individual roles and thanks to that the logged in user also gets them (relation identity - IR - role - policy).**</note> <note important>**Policies are assigned to individual roles and thanks to that the logged in user also gets them (relation identity - IR - role - policy).**</note>
   * ''AuthorizationEvaluator'' - authorization "evaluator" - it is basically an implementation of the individual types of the rule described above. Each evaluator carries information about which domain type and which setting it supports. Some can also be universal for more domain types (e.g. children of''BaseEntity''). In order to simplify the implementation of a rule, the class ''AbstractAuthorizationEvaluator'' has been created, which can be simply inherited when adding another rule. The main evaluators will be described below. The main evaluator methods, which must be implemented (or overloaded from ''AbstractAuthorizationEvaluator''):   * ''AuthorizationEvaluator'' - authorization "evaluator" - it is basically an implementation of the individual types of the rule described above. Each evaluator carries information about which domain type and which setting it supports. Some can also be universal for more domain types (e.g. children of''BaseEntity''). In order to simplify the implementation of a rule, the class ''AbstractAuthorizationEvaluator'' has been created, which can be simply inherited when adding another rule. The main evaluators will be described below. The main evaluator methods, which must be implemented (or overloaded from ''AbstractAuthorizationEvaluator''):
 +    * **''getPermissions(policy, authorizable)''** - **returns a set of operations** (the set ''BasePermission''), which the currently logged in **identity can perform** with a given domain object according to the given policy (e.g. READ, UPDATE)
 +    * **''getPredicate(...)''** - returns a jpa criteria **predicate**, which can be "stuck" onto a **where clause** => the query then returns a result which can be paged and ordered. The result contains data, which we have permissions for according to the given policy. It is recommended to write the predicates as subqueries with ''exists'', to prevent problems with joining tables (if, of course, it is not something simple).
     * ''supports(authorizableType)'' - which doamin type is supported by the evaluator     * ''supports(authorizableType)'' - which doamin type is supported by the evaluator
     * ''supportsPermissions()'' - returns true if the assigned permissions are supported. False - it defines them itself internally (e.g. ''AbstractTransitiveEvaluator'').     * ''supportsPermissions()'' - returns true if the assigned permissions are supported. False - it defines them itself internally (e.g. ''AbstractTransitiveEvaluator'').
-    * ''getAuthorities(policy)'' - **returns a set of operations** (the set''BasePermission''), which the currently logged in **identity could perform** according to the given policy (e.g. READ, UPDATE).  +    * ''getAuthorities(policy)'' - **returns a set of operations** (the set''BasePermission''), which the currently logged in **identity could perform** according to the given policy (e.g. READ, UPDATE). 
-    * ''getPermissions(policy, authorizable)'' - **returns a set of operations** (the set ''BasePermission''), which the currently logged in **identity can perform** with a given domain object according to the given policy (e.g. READ, UPDATE) +  * ''AuthorizableService'' - an interface for labeling a service working with entities that it supports evaluating of policies for permissions for data. This has been added mainly because of backward compatibility - permissions for data are linked to individual agendas one by one. The policies can thus be configured only for domain types with services supporting this interface.
-    * ''evaluate(policy, authorizable, permission)'' - this is just sort of a shortcut - it returns true if the currently logged in identity can perform the given operation according to the given policy (in practice - ''contains'' to the set above) +
-    * ''getPredicate(...)'' - returns a jpa criteria **predicate**, which can be "stuck" onto a **where clause** => the query then returns a result which can be paged and ordered. The result contains data, which we have permissions for according to the given policy. It is recommended to write the predicates as subqueries with ''exists'', to prevent problems with joining tables (if, of course, it is not something simple). +
-  * ''AuthorizableService'' - an interface for labeling a service working with entities that it supports evaluating of policies for permissions for data. This has been added mainly because of backward compatibility - permissions for data are linked to individual agendas one by one. The policies can thus be configured only for domain types with services supporting this interface. +
   * ''AuthorizationManager'' - loads and evaluates the set policies for the logged in identity throughout the application:   * ''AuthorizationManager'' - loads and evaluates the set policies for the logged in identity throughout the application:
     * loads all the active policies according to the assigned user roles     * loads all the active policies according to the assigned user roles
Line 72: Line 71:
  
   * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed.   * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed.
-  * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests. 
-  * ''CHANGEPROJECTION'' - @since 10.2.0 - Change identity form projection.  
   * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button.   * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button.
   * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button.   * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button.
 +  * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
 +  * ''CHANGEPROJECTION'' - @since 10.2.0 - Change identity form projection.
 +  * ''CHANGEUSERNAME'' - @since 10.3.0 - Change identity login.
 +  * ''CHANGENAME'' - @since 10.3.0 - Change identity firt name, surname and titles.
 +  * ''CHANGEPHONE'' - @since 10.3.0 - Change identity phone.
 +  * ''CHANGEEMAIL'' - @since 10.3.0 - Change identity eamil.
 +  * ''CHANGEEXTERNALCODE'' - @since 10.3.0 - Change identity personal number.
 +  * ''CHANGEDESCRIPTION'' - @since 10.3.0 - Change identity description.
 +  * ''SWITCHUSER'' - @since 10.5.0 - logged user can login as selected user (switch user). 
  
 ==== Role==== ==== Role====
Line 85: Line 91:
  
   * ''CANBEREQUESTED'' - role, which can be requested. Used in copying assigned roles by other identity.   * ''CANBEREQUESTED'' - role, which can be requested. Used in copying assigned roles by other identity.
 +
 +==== Identity contract ====
 +
 +  * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on contract gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
 +
 +===== Cache =====
 +
 +Cache is used for evaluating authorization policies and permissions by ''AuthorizationManager'':
 +
 +  * **''core:authorization-policy-cache''** - Cache stores active authorization policies of currently logged user. Cache is evicted after user log out. When authorization policies configuration is changed, then user is logged out and cache is evicted (after permissions removal only). Cache expiration is 2 hour, e.g. if user forgot to log out.
 +  * **''core:permission-cache''** - Cache stores permissions (for data) of currently logged user. Cache is evicted after user log out. Cache expiration is 1 minute - if data structure is changed, then permissions are actualized after this duration. When authorization policies configuration is changed, cache is evicted (completely).
  
 ===== Base authorization evaluators ===== ===== Base authorization evaluators =====
Line 95: Line 112:
  
 Serves as a parent for evaluating permissions according to the derived objects - for example, I have a permission for the assigned role if I have a permission for the identity, etc. See the children of this abstract class below (''IdentityContractByIdentityEvaluator''). Serves as a parent for evaluating permissions according to the derived objects - for example, I have a permission for the assigned role if I have a permission for the identity, etc. See the children of this abstract class below (''IdentityContractByIdentityEvaluator'').
 +
 +=== Parameters ===
 +  * **Use permissions** (''include-permissions'') - Only selected permissions can be used from owner permissions transitively. Configuration property has to be used in evaluator configuration properties (in evaluator form attributes) and ''getPredicate method'' has to check evaluated permission is selected (see ''IdentityContractByIdentityEvaluator'' for example).
  
 ==== BasePermissionEvaluator ==== ==== BasePermissionEvaluator ====
Line 111: Line 131:
  
 Gives currently logged user a permission to work with his own identity.  Gives currently logged user a permission to work with his own identity. 
 +
 +==== IdentityByFormProjectionEvaluator ====
 +
 +@since 10.3.0
 +
 +A permission for identities by user type.
 +
 +=== Parameters ===
 +  * **User type** (''form-projection'') - Add permission to selected user type or to default type (user without type is specified).
  
 ==== SubordinatesEvaluator ==== ==== SubordinatesEvaluator ====
  
-A permission for identities which are my subordinates. [[..:..:architecture:dev:filters#defaultsubordinatesfilter|Overloadable filters]] are used for evaluating subordinates or managers.+A permission for contracts which are my subordinates. [[..:..:architecture:dev:filters#defaultsubordinatesfilter|Overloadable filters]] are used for evaluating subordinates or managers. 
 + 
 +==== SubordinateContractEvaluator ==== 
 + 
 +@since 10.3.0 
 + 
 +A permission for identities which are my subordinate contracts. [[..:..:architecture:dev:filters#defaultcontractbymanagerfilter|Overloadable filters]] are used for evaluating subordinate contracts or contract managers.
  
 ==== IdentityContractByIdentityEvaluator ==== ==== IdentityContractByIdentityEvaluator ====
  
 Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. ''AbstractTransitiveEvaluator'' is used here. Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. ''AbstractTransitiveEvaluator'' is used here.
 +
 +=== Parameters ===
 +  * **Use permissions** (''include-permissions'') - Only selected permissions can be used from identity permissions transitively.
 +
 +<note warning>Prevent to combine with ''IdentityByContractEvaluator'' - configure one of them.</note>
 +
 +==== IdentityByContractEvaluator ====
 +
 +@since 10.3.0
 +
 +Gives a permission for identity according to the permission for identity contract => e.g. if I have a permission to read an contract, I have a permission to read its identity.
 +
 +<note warning>Prevent to combine with ''IdentityContractByIdentityEvaluator '' - configure one of them.</note>
  
 ==== ContractGuaranteeByIdentityContractEvaluator ==== ==== ContractGuaranteeByIdentityContractEvaluator ====
Line 127: Line 175:
  
 Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles. Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles.
 +
 +==== IdentityRoleByContractEvaluator ====
 +
 +@since 10.3.0
 +
 +Gives a permission for assigned roles according to the permission for the contract => e.g. If I have a permission to read an contract, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the contract, I have a permission to edit (add or delete) its assigned roles. Logged identity can see / edit roles assigned to managed contracts only.
  
 ==== IdentityRoleByRoleEvaluator ==== ==== IdentityRoleByRoleEvaluator ====
Line 204: Line 258:
  
 Gives a permission for code list items according to the permission for the code list => e.g. If I have a permission to read a code list, I have a permission to read its items. Gives a permission for code list items according to the permission for the code list => e.g. If I have a permission to read a code list, I have a permission to read its items.
 +
 +==== CodeListItemByCodeEvaluator ====
 +
 +@since 10.3.0
 +
 +Gives a permission for code list items according to the permission for the code list and item codes.
 +
 +=== Parameters ===
 +  * **Code list** (''codelist'') - Items from selected code list.
 +  * **Items** (''item-codes'') - Add permission to code list items by their codes. All items from selected code list will be used as default (use comma as separator - more item codes are supported).
  
 ==== VsRequestByImplementerEvaluator ==== ==== VsRequestByImplementerEvaluator ====
Line 322: Line 386:
 Permissions to identity roles. User can manipulate with his own roles. With basic settings for user you dont need this, beacause exist evaluator **IdentityRoleByIdentityEvaluator** and every identity can read all roles for identities that can read. Permissions to identity roles. User can manipulate with his own roles. With basic settings for user you dont need this, beacause exist evaluator **IdentityRoleByIdentityEvaluator** and every identity can read all roles for identities that can read.
  
 +==== SelfContractEvaluator ====
 +
 +@since 10.4.0
 +
 +Permissions to contracts. User can manipulate with his own contracts.
 ==== Universal request agenda (IdmRequest - evaluators) ==== ==== Universal request agenda (IdmRequest - evaluators) ====
  
 [[devel:documentation:roles:dev:universal_requests#permissions| Universal request agenda]] [[devel:documentation:roles:dev:universal_requests#permissions| Universal request agenda]]
 +
 +==== RoleByRoleCatalogueEvaluator ====
 +@since 10.3.0 for **LTS version** is available similar evaluator in [[devel:documentation:modules_extras:role_evaluator_by_role_catalogue|extras module]].
 +
 +Documentation for the evaluator is available [[devel:documentation:security:dev:authorization:role_evaluator_by_role_catalogue|there]].
 +
 +==== IdentityByTreeNodeEvaluator ====
 +@since 10.3.0 for **LTS version** is available similar evaluator in [[devel:documentation:modules_extras:identity_evaluator_by_work_position|extras module]].
 +
 +Documentation for the evaluator is available [[devel:documentation:security:dev:authorization:identity_evaluator_by_work_position|there]].
 +
 ===== Default policies ===== ===== Default policies =====
  
Line 330: Line 410:
  
  
-<note important>The business roles are not dealt with within the default role => the user will get what is set for the default role, nothing more.</note>+<note tip>The business roles are supported with the default role => the user will get all authorization policies from default and all sub roles.</note>
  
 ===== Examples of configuration ===== ===== Examples of configuration =====
Line 339: Line 419:
  
 If we want to read an identity profile including its assigned roles and IR, to enable password change and to request roles, it is possible to set the default role authorization policies as follows: If we want to read an identity profile including its assigned roles and IR, to enable password change and to request roles, it is possible to set the default role authorization policies as follows:
-  * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, reading, change password, manage authorizations | SelfIdentityEvaluator+  * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, reading, Change password, Change roles | SelfIdentityEvaluator
   * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator   * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator
-  * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator +  * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12) 
-  * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12) +  * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | **Can be requested only: true** IdentityRoleByRoleEvaluator 
-  * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | | IdentityContractByIdentityEvaluator+  * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: View in select box (autocomplete), Read, Change roles** | IdentityContractByIdentityEvaluator
   * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator   * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator
   * Permission to read guarantees of IR: Industrial relation guarantees (IdmContractGuarantee) | - | ContractGuaranteeByIdentityContractEvaluator   * Permission to read guarantees of IR: Industrial relation guarantees (IdmContractGuarantee) | - | ContractGuaranteeByIdentityContractEvaluator
Line 352: Line 432:
   * Permission to read and change indetity profile: Identity profile (IdmProfile) | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0)   * Permission to read and change indetity profile: Identity profile (IdmProfile) | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0)
   * Enabling the autocomplete for entities:   * Enabling the autocomplete for entities:
-    * User profile (picture) (IdmProfile) | Displaying in autocomplete, selections | BasePermissionEvaluator 
     * Users (IdmIdentity) | Displaying in autocomplete, selections | BasePermissionEvaluator     * Users (IdmIdentity) | Displaying in autocomplete, selections | BasePermissionEvaluator
 +    * User profile (picture) (IdmProfile) | Displaying in autocomplete, selections | BasePermissionEvaluator
     * Role (IdmRole) | Displaying in autocomplete, selections | BasePermissionEvaluator     * Role (IdmRole) | Displaying in autocomplete, selections | BasePermissionEvaluator
     * Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, selections | BasePermissionEvaluator     * Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, selections | BasePermissionEvaluator
Line 362: Line 442:
     * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator       **(<- use this only when using acc module)**     * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator       **(<- use this only when using acc module)**
     * Connected systems | Displaying in autocomplete, selections | BasePermissionEvaluator      * Connected systems | Displaying in autocomplete, selections | BasePermissionEvaluator 
-  Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | ReadUpdate, Create, Delete AutomaticRoleRequestByWfInvolvedIdentityEvaluator It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place. +    Scheduler (IdmLongRunningTask) | Displaying in autocompleteselections BasePermissionEvaluator 
-  Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator +    * Code lists (IdmCodeList| Displaying in autocomplete, selections | BasePermissionEvaluator 
- +    Code lists items (IdmCodeListItem) | Displaying in autocomplete, selections | [[#codelistitembycodelistevaluator|CodeListItemByCodeListEvaluator]] or [[#codelistitembycodeevaluator|CodeListItemByCodeEvaluator]] 
-If you want to enable the managers of the users to read their subordinates and change their permissions, add following permissions to the userRole: +  * Permission to read and solve one's requests on virtual systemsRequests on virtual systems (VsRequest) | Administration | VsRequestByImplementerEvaluator ([[tutorial:adm:modules_vs#permissions]]). If you don't want to display the VS requests agenda to all your usersthen we recommend setting this permission to some other role which you will assign only to the VS implementers.
-  * Users (IdmIdentity) | Manage authorizations, View in select box (autocomplete), Read | SubordinatesEvaluator+
  
 <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity ''UPDATE''. But exits own permissions for each operation (''MANUALLYDISABLE'' or ''MANUALLYENABLE'')</note> <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity ''UPDATE''. But exits own permissions for each operation (''MANUALLYDISABLE'' or ''MANUALLYENABLE'')</note>
  
 <note tip>From version 9.7.12 it's required ''CANBEREQUESTED'' permission for copying roles into request by other identity.</note> <note tip>From version 9.7.12 it's required ''CANBEREQUESTED'' permission for copying roles into request by other identity.</note>
 +
 +=== Manager and subordinates ===
 +
 +If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only:
 +  * **add** following **permissions** to the userRole:
 +    * Users (IdmIdentity) | View in select box (autocomplete), Read | **SubordinatesEvaluator**
 +    * Contracts (IdmIdentityContract) | View in select box (autocomplete), Read, Change roles | **SubordinateContractEvaluator**
 +    * Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator**
 +
 +<note tip>This configuration is available from version 10.3.0. If you are using some older version, add one permission instead: 
 +  * Users (IdmIdentity) | View in select box (autocomplete), Read, Change roles | **SubordinatesEvaluator**
 +
 +**With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0. 
 +</note>
  
 ==== Settings of permissions for the Helpdesk role ==== ==== Settings of permissions for the Helpdesk role ====
Line 381: Line 474:
   * Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator   * Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator
  
 +==== Settings of permissions for virtual system implementer  ====
 +
 +The virtual system implementer (~approver) role should have following additional permissions:
 +  * Permission to admin virtual system requests: Requests on virtual systems (VsRequest ) | Administration (all) | VsRequestByImplementerEvaluator
 ==== Default settings of permissions for a role detail ==== ==== Default settings of permissions for a role detail ====
  
Line 389: Line 486:
     * Role authorizers - by role (IdmRoleGuaranteeRole) | - | RoleGuaranteeRoleByRoleEvaluator     * Role authorizers - by role (IdmRoleGuaranteeRole) | - | RoleGuaranteeRoleByRoleEvaluator
   * Permission to read automatic roles (tree) by role: Automatic roles (IdmRoleTreeNode) | - | RoleTreeNodeByRoleEvaluator   * Permission to read automatic roles (tree) by role: Automatic roles (IdmRoleTreeNode) | - | RoleTreeNodeByRoleEvaluator
 +  * Permission to autocomplete automatic roles (tree): Automatic roles (IdmRoleTreeNode) | Displaying in autocomplete, selections | BasePermissionEvaluator
   * Permission to read automatic roles (attributes) by role:    * Permission to read automatic roles (attributes) by role: 
-    * Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Read | BasePermissionEvaluator+    * Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Displaying in autocomplete, selections, Read | BasePermissionEvaluator
     * Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule)| Read | BasePermissionEvaluator     * Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule)| Read | BasePermissionEvaluator
   * Permissions to read request for automatic roles (both):   * Permissions to read request for automatic roles (both):
     * Requests for automatic roles (IdmAutomaticRoleRequest) | Read | BasePermissionEvaluator     * Requests for automatic roles (IdmAutomaticRoleRequest) | Read | BasePermissionEvaluator
     * Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | - | AutomaticRoleRuleRequestByRequestEvaluator     * Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | - | AutomaticRoleRuleRequestByRequestEvaluator
 +  * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update | AutomaticRoleRequestByWfInvolvedIdentityEvaluator. For create new or delete an automatic role request add another evaluator (for example BasePermissionEvaluator to choosed users). Add also autocomplete permission to IdmAutomaticRoleAttribute (if you use automatic roles by attributes) and IdmRoleTreeNode (if you use automatic roles by organizations.).
   * Permission to read permissions by role: Permission (IdmAuthorizationPolicy) | - | AuthorizationPolicyByRoleEvaluator   * Permission to read permissions by role: Permission (IdmAuthorizationPolicy) | - | AuthorizationPolicyByRoleEvaluator
   * Permission to read accounts: Accounts in system | Read | BasePermissionEvaluator   * Permission to read accounts: Accounts in system | Read | BasePermissionEvaluator
Line 402: Line 501:
     * Business roles definition (IdmRoleComposition) | - | [[#RoleCompositionBySuperiorRoleEvaluator]]     * Business roles definition (IdmRoleComposition) | - | [[#RoleCompositionBySuperiorRoleEvaluator]]
     * Business roles definition (IdmRoleComposition) | - | [[#RoleCompositionBySubRoleEvaluator]]     * Business roles definition (IdmRoleComposition) | - | [[#RoleCompositionBySubRoleEvaluator]]
 +  * Permission to autocomplete form definitions: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | BasePermissionEvaluator
   * Role attributes (subdefnition) (IdmRoleFormAttribute) | - | RoleFormAttributeByRoleEvaluator   * Role attributes (subdefnition) (IdmRoleFormAttribute) | - | RoleFormAttributeByRoleEvaluator
  
Line 411: Line 511:
   * Permission to admin code list extended attributes: Forms - attributes (IdmFormAttribute) | - | [[#FormAttributteByCodeListEvaluator]]   * Permission to admin code list extended attributes: Forms - attributes (IdmFormAttribute) | - | [[#FormAttributteByCodeListEvaluator]]
  
-==== Secure identity form (extended) attribute values ====+==== Settings of permissions of identity basic attributes ==== 
 + 
 +If we want to enable for currently logged identity change all basic identity attributes (e.g. login, first name, surname), the authorization policies can be set as follows: 
 +  * Permission to update identity and attributes: Users (IdmIdentity) | **Update**, Change phone, Change personal number, Change note, Change login, Change user type (projection), Change email, Change first name, surname and titles | BasePermissionEvaluator 
 + 
 +<note tip>Can be combined with [[#manager_and_subordinates|subordinates evaluator]] to enable update attributes for managers only. When identity is created, then **CREATE** permission is needed only - additional permissions are evaluated for **UPDATE** identity only.</note> 
 + 
 +<note important>This configuration is **required from version 10.3.0** for update basic identity attributes.</note> 
 + 
 +==== Settings of permissions of identity form (extended) attribute values ====
  
-If we want to enable for currently logged identity update only for some form attributes (e.g ''phone'') from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows: +If we want to enable for currently logged identity read / update for some form attributes (e.g ''phone'') from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows: 
-  * Enable authorization policies support for identity form values by [[..:..:application_configuration:dev:backend#identity|configuration]]. +  * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for identities) identifier
-  * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for identities) identifier+
   * Permission to update ''phone'' attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition same as above, enter ''phone'' as attributes   * Permission to update ''phone'' attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition same as above, enter ''phone'' as attributes
-  * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will don'get permissions to edit other users.+  * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will not get permissions to edit other users.
  
-==== Secure contract form (extended) attribute values ====+==== Settings of permissions of contract form (extended) attribute values ====
  
-If we want to enable for currently logged identity update only for some contract form attributes (e.g. ''other manager'') from some form definition (e.g. from main definition) on contract detail (tab more information), the authorization policies have to be be set as follows:+If we want to enable for currently logged identity read / update for some contract form attributes (e.g. ''other manager'') from some form definition (e.g. from main definition) on contract detail (tab more information), the authorization policies have to be be set as follows:
   * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for contracts) identifier   * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for contracts) identifier
   * Permission to update ''other manager'' attribute: Forms - values (IdmIdentityContractFormValue) | Read, Update | IdentityContractFormValueEvaluator - select form definition same as above and enter ''other manager'' as attributes.   * Permission to update ''other manager'' attribute: Forms - values (IdmIdentityContractFormValue) | Read, Update | IdentityContractFormValueEvaluator - select form definition same as above and enter ''other manager'' as attributes.
  • by koulaj