Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:security:dev:authorization [2020/04/21 11:30]
tomiskar 		devel:documentation:security:dev:authorization [2020/04/22 11:26]
tomiskar [Settings of permissions of identity basic attributes]
Line 72: Line 72:
  
   * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed.   * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed.
-  * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests. 
-  * ''CHANGEPROJECTION'' - @since 10.2.0 - Change identity form projection. 
   * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button.   * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button.
   * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button.   * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button.
 +  * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
 +  * ''CHANGEPROJECTION'' - @since 10.2.0 - Change identity form projection.
 +  * ''CHANGEUSERNAME'' - @since 10.3.0 - Change identity login.
 +  * ''CHANGENAME'' - @since 10.3.0 - Change identity firt name, surname and titles.
 +  * ''CHANGEPHONE'' - @since 10.3.0 - Change identity phone.
 +  * ''CHANGEEMAIL'' - @since 10.3.0 - Change identity eamil.
 +  * ''CHANGEEXTERNALCODE'' - @since 10.3.0 - Change identity personal number.
 +  * ''CHANGEDESCRIPTION'' - @since 10.3.0 - Change identity description.
  
 ==== Role==== ==== Role====
Line 85: Line 91:
  
   * ''CANBEREQUESTED'' - role, which can be requested. Used in copying assigned roles by other identity.   * ''CANBEREQUESTED'' - role, which can be requested. Used in copying assigned roles by other identity.
 +
 +==== Identity contract ====
 +
 +  * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on contract gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
  
 ===== Base authorization evaluators ===== ===== Base authorization evaluators =====
Line 384: Line 394:
     * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator       **(<- use this only when using acc module)**     * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator       **(<- use this only when using acc module)**
     * Connected systems | Displaying in autocomplete, selections | BasePermissionEvaluator      * Connected systems | Displaying in autocomplete, selections | BasePermissionEvaluator 
-    * Scheduler (IdmLongRunningTask) | Read | BasePermissionEvaluator+    * Scheduler (IdmLongRunningTask) | Displaying in autocomplete, selections | BasePermissionEvaluator
   * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place.   * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place.
   * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator   * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator
Line 447: Line 457:
   * Permission to admin code list items by code lists: Code lists - items (IdmCodeListItem) | - | [[#CodeListItemByCodeListEvaluator]]   * Permission to admin code list items by code lists: Code lists - items (IdmCodeListItem) | - | [[#CodeListItemByCodeListEvaluator]]
   * Permission to admin code list extended attributes: Forms - attributes (IdmFormAttribute) | - | [[#FormAttributteByCodeListEvaluator]]   * Permission to admin code list extended attributes: Forms - attributes (IdmFormAttribute) | - | [[#FormAttributteByCodeListEvaluator]]
 +
 +==== Settings of permissions of identity basic attributes ====
 +
 +If we want to enable for currently logged identity change all basic identity attributes (e.g. login, first name, surname), the authorization policies can be set as follows:
 +  * Permission to update identity and attributes: Users (IdmIdentity) | **Update**, Change phone, Change personal number, Change note, Change login, Change user type (projection), Change email, Change first name, surname and titles | BasePermissionEvaluator
 +
 +<note tip>Can be combined with [[#manager_and_subordinates|subordinates evaluator]] to enable update attributes for managers only.</note>
 +
 +<note important>This configuration is **required from version 10.3.0** for update basic identity attributes.</note>
  
 ==== Settings of permissions of identity form (extended) attribute values ==== ==== Settings of permissions of identity form (extended) attribute values ====
  • by koulaj