Differences

This shows you the differences between two versions of the page.

--- devel:documentation:security:dev:authorization [2020/04/21 12:04]
tomiskar [Default settings of permissions for an identity profile]
+++ devel:documentation:security:dev:authorization [2020/04/22 11:26]
tomiskar [Settings of permissions of identity basic attributes]
@@ Line 72: / Line 72: @@
   * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed.
-  * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
-  * ''CHANGEPROJECTION'' - @since 10.2.0 - Change identity form projection.
   * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button.
   * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button.
+  * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
+  * ''CHANGEPROJECTION'' - @since 10.2.0 - Change identity form projection.
+  * ''CHANGEUSERNAME'' - @since 10.3.0 - Change identity login.
+  * ''CHANGENAME'' - @since 10.3.0 - Change identity firt name, surname and titles.
+  * ''CHANGEPHONE'' - @since 10.3.0 - Change identity phone.
+  * ''CHANGEEMAIL'' - @since 10.3.0 - Change identity eamil.
+  * ''CHANGEEXTERNALCODE'' - @since 10.3.0 - Change identity personal number.
+  * ''CHANGEDESCRIPTION'' - @since 10.3.0 - Change identity description.
 ==== Role====
@@ Line 85: / Line 91: @@
   * ''CANBEREQUESTED'' - role, which can be requested. Used in copying assigned roles by other identity.
+==== Identity contract ====
+  * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on contract gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
 ===== Base authorization evaluators =====
@@ Line 447: / Line 457: @@
   * Permission to admin code list items by code lists: Code lists - items (IdmCodeListItem) | - | [[#CodeListItemByCodeListEvaluator]]
   * Permission to admin code list extended attributes: Forms - attributes (IdmFormAttribute) | - | [[#FormAttributteByCodeListEvaluator]]
+==== Settings of permissions of identity basic attributes ====
+If we want to enable for currently logged identity change all basic identity attributes (e.g. login, first name, surname), the authorization policies can be set as follows:
+  * Permission to update identity and attributes: Users (IdmIdentity) | **Update**, Change phone, Change personal number, Change note, Change login, Change user type (projection), Change email, Change first name, surname and titles | BasePermissionEvaluator
+<note tip>Can be combined with [[#manager_and_subordinates|subordinates evaluator]] to enable update attributes for managers only.</note>
+<note important>This configuration is **required from version 10.3.0** for update basic identity attributes.</note>
 ==== Settings of permissions of identity form (extended) attribute values ====