Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:security:dev:authorization [2020/04/15 06:44]
tomiskar [IdentityContractByIdentityEvaluator] 		devel:documentation:security:dev:authorization [2020/04/20 11:53]
tomiskar [Default settings of permissions for an identity profile]
Line 114: Line 114:
 ==== SubordinatesEvaluator ==== ==== SubordinatesEvaluator ====
  
-A permission for identities which are my subordinates. [[..:..:architecture:dev:filters#defaultsubordinatesfilter|Overloadable filters]] are used for evaluating subordinates or managers.+A permission for contracts which are my subordinates. [[..:..:architecture:dev:filters#defaultsubordinatesfilter|Overloadable filters]] are used for evaluating subordinates or managers. 
 + 
 +==== SubordinateContractEvaluator ==== 
 + 
 +@since 10.3.0 
 + 
 +A permission for identities which are my subordinate contracts. [[..:..:architecture:dev:filters#defaultcontractbymanagerfilter|Overloadable filters]] are used for evaluating subordinate contracts or contract managers.
  
 ==== IdentityContractByIdentityEvaluator ==== ==== IdentityContractByIdentityEvaluator ====
Line 137: Line 143:
  
 Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles. Gives a permission for assigned roles according to the permission for the identity => e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles.
 +
 +==== IdentityRoleByContractEvaluator ====
 +
 +@since 10.3.0
 +
 +Gives a permission for assigned roles according to the permission for the contract => e.g. If I have a permission to read an contract, I have a permission to read its assigned roles. ''AbstractTransitiveEvaluator'' is used here. If I have a permission to edit the contract, I have a permission to edit (add or delete) its assigned roles. Logged identity can see / edit roles assigned to managed contracts only.
  
 ==== IdentityRoleByRoleEvaluator ==== ==== IdentityRoleByRoleEvaluator ====
Line 372: Line 384:
     * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator       **(<- use this only when using acc module)**     * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator       **(<- use this only when using acc module)**
     * Connected systems | Displaying in autocomplete, selections | BasePermissionEvaluator      * Connected systems | Displaying in autocomplete, selections | BasePermissionEvaluator 
 +    * Scheduler (IdmLongRunningTask) | Read | BasePermissionEvaluator
   * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place.   * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place.
   * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator   * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator
- 
-If you want to enable the managers of the users to read their subordinates and change their permissions, add following permissions to the userRole: 
-  * Users (IdmIdentity) | Manage authorizations, View in select box (autocomplete), Read | SubordinatesEvaluator 
  
 <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity ''UPDATE''. But exits own permissions for each operation (''MANUALLYDISABLE'' or ''MANUALLYENABLE'')</note> <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity ''UPDATE''. But exits own permissions for each operation (''MANUALLYDISABLE'' or ''MANUALLYENABLE'')</note>
  
 <note tip>From version 9.7.12 it's required ''CANBEREQUESTED'' permission for copying roles into request by other identity.</note> <note tip>From version 9.7.12 it's required ''CANBEREQUESTED'' permission for copying roles into request by other identity.</note>
 +
 +=== Manager and subordinates ===
 +
 +If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only:
 +  * **remove** following **permissions** from the userRole:
 +    * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | **IdentityContractByIdentityEvaluator**
 +  * **add** following **permissions** to the userRole:
 +    * Users (IdmIdentity) | View in select box (autocomplete), Read | **SubordinatesEvaluator**
 +    * Contracts (IdmIdentityContract) | View in select box (autocomplete), Read, Change roles | **SubordinateContractEvaluator**
 +    * Users (IdmIdentity) | - | **IdentityByContractEvaluator**
 +    * Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator**
 +
 +<note tip>This configuration is available from version 10.3.0. If you are using some older version, then no permissions have to be removed and add one permission instead: 
 +  * Users (IdmIdentity) | View in select box (autocomplete), Read, Change roles | **SubordinatesEvaluator**
 +
 +**With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0. 
 +</note>
  
 ==== Settings of permissions for the Helpdesk role ==== ==== Settings of permissions for the Helpdesk role ====
  • by koulaj