Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision Both sides next revision
devel:documentation:security:dev:authorization [2020/04/15 06:44]
tomiskar [IdentityContractByIdentityEvaluator] 		devel:documentation:security:dev:authorization [2020/04/15 06:53]
tomiskar
Line 114: Line 114:
 ==== SubordinatesEvaluator ==== ==== SubordinatesEvaluator ====
  
-A permission for identities which are my subordinates. [[..:..:architecture:dev:filters#defaultsubordinatesfilter|Overloadable filters]] are used for evaluating subordinates or managers.+A permission for contracts which are my subordinates. [[..:..:architecture:dev:filters#defaultsubordinatesfilter|Overloadable filters]] are used for evaluating subordinates or managers. 
 + 
 +<note warning>Prevent to combine with ''SubordinateContractEvaluator '' - configure one of them. ''SubordinateContractEvaluator '' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note> 
 + 
 +==== SubordinateContractEvaluator ==== 
 + 
 +@since 10.3.0 
 + 
 +A permission for identities which are my subordinate contracts. [[..:..:architecture:dev:filters#defaultcontractbymanagerfilter|Overloadable filters]] are used for evaluating subordinate contracts or contract managers. 
 + 
 +<note warning>Prevent to combine with ''SubordinatesEvaluator '' - configure one of them. ''SubordinateContractEvaluator '' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note>
  
 ==== IdentityContractByIdentityEvaluator ==== ==== IdentityContractByIdentityEvaluator ====
Line 137: Line 147:
  
 Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles. Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles.
 +
 +==== IdentityRoleByContractEvaluator ====
 +
 +@since 10.3.0
 +
 +Gives a permission for assigned roles according to the permission for the contract => e.g. If I have a permission to read an contract, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the contract, I have a permission to edit (add or delete) its assigned roles. Logged identity can see / edit roles assigned to managed contracts only.
  
 ==== IdentityRoleByRoleEvaluator ==== ==== IdentityRoleByRoleEvaluator ====
  • by koulaj