Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | Next revision Both sides next revision | ||
|
devel:documentation:security:dev:authorization [2020/04/15 08:42] tomiskar |
devel:documentation:security:dev:authorization [2020/04/15 09:04] tomiskar [Default settings of permissions for an identity profile] |
||
|---|---|---|---|
| Line 386: | Line 386: | ||
| * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place. | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place. | ||
| * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, | * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, | ||
| - | |||
| - | If you want to enable the managers of the users to read their subordinates and change their permissions, | ||
| - | * Users (IdmIdentity) | Manage authorizations, | ||
| <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity '' | <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity '' | ||
| <note tip>From version 9.7.12 it's required '' | <note tip>From version 9.7.12 it's required '' | ||
| + | |||
| + | === Manager and subordinates === | ||
| + | |||
| + | If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: | ||
| + | * **remove** following **permissions from the userRole**: | ||
| + | * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | **IdentityRoleByIdentityEvaluator** | ||
| + | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | **IdentityContractByIdentityEvaluator** | ||
| + | * **add** following permissions **to the userRole**: | ||
| + | * Contracts (IdmIdentityContract) | View in select box (autocomplete), | ||
| + | * Users (IdmIdentity) | - | **IdentityByContractEvaluator** | ||
| + | * Users (IdmIdentity) | Change roles | **SubordinatesEvaluator** | ||
| + | * Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator** | ||
| ==== Settings of permissions for the Helpdesk role ==== | ==== Settings of permissions for the Helpdesk role ==== | ||