Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
devel:documentation:security:dev:authorization [2020/04/16 12:38] tomiskar |
devel:documentation:security:dev:authorization [2020/04/21 11:22] tomiskar [Secure identity form (extended) attribute values] |
||
|---|---|---|---|
| Line 396: | Line 396: | ||
| If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: | If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: | ||
| * **remove** following **permissions** from the userRole: | * **remove** following **permissions** from the userRole: | ||
| - | * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | **IdentityRoleByIdentityEvaluator** | ||
| * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | **IdentityContractByIdentityEvaluator** | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | **IdentityContractByIdentityEvaluator** | ||
| * **add** following **permissions** to the userRole: | * **add** following **permissions** to the userRole: | ||
| - | * Contracts (IdmIdentityContract) | View in select box (autocomplete), | + | |
| + | | ||
| * Users (IdmIdentity) | - | **IdentityByContractEvaluator** | * Users (IdmIdentity) | - | **IdentityByContractEvaluator** | ||
| - | * Users (IdmIdentity) | Change roles | **SubordinatesEvaluator** | ||
| * Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator** | * Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator** | ||
| <note tip>This configuration is available from version 10.3.0. If you are using some older version, then no permissions have to be removed and add one permission instead: | <note tip>This configuration is available from version 10.3.0. If you are using some older version, then no permissions have to be removed and add one permission instead: | ||
| - | * Users (IdmIdentity) | | + | * Users (IdmIdentity) | View in select box (autocomplete), |
| **With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0. | **With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0. | ||
| Line 451: | Line 450: | ||
| ==== Secure identity form (extended) attribute values ==== | ==== Secure identity form (extended) attribute values ==== | ||
| - | If we want to enable for currently logged identity update only for some form attributes (e.g '' | + | If we want to enable for currently logged identity |
| - | * Enable authorization policies support for identity form values by [[..: | + | |
| * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, | * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, | ||
| * Permission to update '' | * Permission to update '' | ||