Differences

This shows you the differences between two versions of the page.

--- devel:documentation:security:dev:authorization [2020/04/16 12:38]
tomiskar
+++ devel:documentation:security:dev:authorization [2020/05/04 11:42]
tomiskar [Default settings of permissions for an identity profile]
@@ Line 72: / Line 72: @@
   * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed.
-  * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
-  * ''CHANGEPROJECTION'' - @since 10.2.0 - Change identity form projection.
   * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button.
   * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button.
+  * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
+  * ''CHANGEPROJECTION'' - @since 10.2.0 - Change identity form projection.
+  * ''CHANGEUSERNAME'' - @since 10.3.0 - Change identity login.
+  * ''CHANGENAME'' - @since 10.3.0 - Change identity firt name, surname and titles.
+  * ''CHANGEPHONE'' - @since 10.3.0 - Change identity phone.
+  * ''CHANGEEMAIL'' - @since 10.3.0 - Change identity eamil.
+  * ''CHANGEEXTERNALCODE'' - @since 10.3.0 - Change identity personal number.
+  * ''CHANGEDESCRIPTION'' - @since 10.3.0 - Change identity description.
 ==== Role====
@@ Line 85: / Line 91: @@
   * ''CANBEREQUESTED'' - role, which can be requested. Used in copying assigned roles by other identity.
+==== Identity contract ====
+  * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on contract gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
 ===== Base authorization evaluators =====
@@ Line 111: / Line 121: @@
 Gives currently logged user a permission to work with his own identity.
+==== IdentityByFormProjectionEvaluator ====
+@since 10.3.0
+A permission for identities by user type.
+=== Parameters ===
+  * **User type** (''form-projection'') - Add permission to selected user type or to default type (user without type is specified).
 ==== SubordinatesEvaluator ====
@@ Line 226: / Line 245: @@
 Gives a permission for code list items according to the permission for the code list => e.g. If I have a permission to read a code list, I have a permission to read its items.
+==== CodeListItemByCodeEvaluator ====
+@since 10.3.0
+Gives a permission for code list items according to the permission for the code list and item codes.
+=== Parameters ===
+  * **Code list** (''codelist'') - Items from selected code list.
+  * **Items** (''item-codes'') - Add permission to code list items by their codes. All items from selected code list will be used as default (use comma as separator - more item codes are supported).
 ==== VsRequestByImplementerEvaluator ====
@@ Line 384: / Line 413: @@
     * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator       **(<- use this only when using acc module)**
     * Connected systems | Displaying in autocomplete, selections | BasePermissionEvaluator
-    * Scheduler (IdmLongRunningTask) | Read | BasePermissionEvaluator
+    * Scheduler (IdmLongRunningTask) | Displaying in autocomplete, selections | BasePermissionEvaluator
+    * Code lists (IdmCodeList) | Displaying in autocomplete, selections | BasePermissionEvaluator
+    * Code lists - items (IdmCodeListItem) | Displaying in autocomplete, selections | [[#codelistitembycodelistevaluator|CodeListItemByCodeListEvaluator]] or [[#codelistitembycodeevaluator|CodeListItemByCodeEvaluator]]
   * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place.
   * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator
@@ Line 395: / Line 426: @@
 If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only:
-  * **remove** following **permissions** from the userRole:
+  * **change** following **permissions** from the userRole:
-    * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | **IdentityRoleByIdentityEvaluator**
+    * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: Read** | **IdentityContractByIdentityEvaluator**
-    * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | **IdentityContractByIdentityEvaluator**
   * **add** following **permissions** to the userRole:
-    * Contracts (IdmIdentityContract)	| View in select box (autocomplete), Read | **SubordinateContractEvaluator**
+    * Users (IdmIdentity)	| View in select box (autocomplete), Read | **SubordinatesEvaluator**
-    * Users (IdmIdentity)	| - | **IdentityByContractEvaluator**
+    * Contracts (IdmIdentityContract)	| View in select box (autocomplete), Read, Change roles | **SubordinateContractEvaluator**
-    * Users (IdmIdentity)	| Change roles | **SubordinatesEvaluator**
     * Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator**
 <note tip>This configuration is available from version 10.3.0. If you are using some older version, then no permissions have to be removed and add one permission instead:
-  * Users (IdmIdentity)	| Manage authorizations, View in select box (autocomplete), Read | **SubordinatesEvaluator**
+  * Users (IdmIdentity)	| View in select box (autocomplete), Read, Change roles | **SubordinatesEvaluator**
 **With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0.
@@ Line 449: / Line 478: @@
   * Permission to admin code list extended attributes: Forms - attributes (IdmFormAttribute) | - | [[#FormAttributteByCodeListEvaluator]]
-==== Secure identity form (extended) attribute values ====
+==== Settings of permissions of identity basic attributes ====
+If we want to enable for currently logged identity change all basic identity attributes (e.g. login, first name, surname), the authorization policies can be set as follows:
+  * Permission to update identity and attributes: Users (IdmIdentity) | **Update**, Change phone, Change personal number, Change note, Change login, Change user type (projection), Change email, Change first name, surname and titles | BasePermissionEvaluator
+<note tip>Can be combined with [[#manager_and_subordinates|subordinates evaluator]] to enable update attributes for managers only. When identity is created, then **CREATE** permission is needed only - additional permissions are evaluated for **UPDATE** identity only.</note>
+<note important>This configuration is **required from version 10.3.0** for update basic identity attributes.</note>
+==== Settings of permissions of identity form (extended) attribute values ====
-If we want to enable for currently logged identity update only for some form attributes (e.g ''phone'') from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows:
+If we want to enable for currently logged identity read / update for some form attributes (e.g ''phone'') from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows:
-  * Enable authorization policies support for identity form values by [[..:..:application_configuration:dev:backend#identity|configuration]].
   * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for identities) identifier
   * Permission to update ''phone'' attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition same as above, enter ''phone'' as attributes
   * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will don't get permissions to edit other users.
-==== Secure contract form (extended) attribute values ====
+==== Settings of permissions of contract form (extended) attribute values ====
-If we want to enable for currently logged identity update only for some contract form attributes (e.g. ''other manager'') from some form definition (e.g. from main definition) on contract detail (tab more information), the authorization policies have to be be set as follows:
+If we want to enable for currently logged identity read / update for some contract form attributes (e.g. ''other manager'') from some form definition (e.g. from main definition) on contract detail (tab more information), the authorization policies have to be be set as follows:
   * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for contracts) identifier
   * Permission to update ''other manager'' attribute: Forms - values (IdmIdentityContractFormValue) | Read, Update | IdentityContractFormValueEvaluator - select form definition same as above and enter ''other manager'' as attributes.