Both sides previous revision
Previous revision
Next revision
|
Previous revision
Next revision
Both sides next revision
|
devel:documentation:security:dev:authorization [2020/04/21 12:04] tomiskar [Default settings of permissions for an identity profile] |
devel:documentation:security:dev:authorization [2020/04/22 11:26] tomiskar [Settings of permissions of identity basic attributes] |
| |
* ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed. | * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed. |
* ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests. | |
* ''CHANGEPROJECTION'' - @since 10.2.0 - Change identity form projection. | |
* ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button. | * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button. |
* ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button. | * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button. |
| * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests. |
| * ''CHANGEPROJECTION'' - @since 10.2.0 - Change identity form projection. |
| * ''CHANGEUSERNAME'' - @since 10.3.0 - Change identity login. |
| * ''CHANGENAME'' - @since 10.3.0 - Change identity firt name, surname and titles. |
| * ''CHANGEPHONE'' - @since 10.3.0 - Change identity phone. |
| * ''CHANGEEMAIL'' - @since 10.3.0 - Change identity eamil. |
| * ''CHANGEEXTERNALCODE'' - @since 10.3.0 - Change identity personal number. |
| * ''CHANGEDESCRIPTION'' - @since 10.3.0 - Change identity description. |
| |
==== Role==== | ==== Role==== |
| |
* ''CANBEREQUESTED'' - role, which can be requested. Used in copying assigned roles by other identity. | * ''CANBEREQUESTED'' - role, which can be requested. Used in copying assigned roles by other identity. |
| |
| ==== Identity contract ==== |
| |
| * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on contract gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests. |
| |
===== Base authorization evaluators ===== | ===== Base authorization evaluators ===== |
* Permission to admin code list items by code lists: Code lists - items (IdmCodeListItem) | - | [[#CodeListItemByCodeListEvaluator]] | * Permission to admin code list items by code lists: Code lists - items (IdmCodeListItem) | - | [[#CodeListItemByCodeListEvaluator]] |
* Permission to admin code list extended attributes: Forms - attributes (IdmFormAttribute) | - | [[#FormAttributteByCodeListEvaluator]] | * Permission to admin code list extended attributes: Forms - attributes (IdmFormAttribute) | - | [[#FormAttributteByCodeListEvaluator]] |
| |
| ==== Settings of permissions of identity basic attributes ==== |
| |
| If we want to enable for currently logged identity change all basic identity attributes (e.g. login, first name, surname), the authorization policies can be set as follows: |
| * Permission to update identity and attributes: Users (IdmIdentity) | **Update**, Change phone, Change personal number, Change note, Change login, Change user type (projection), Change email, Change first name, surname and titles | BasePermissionEvaluator |
| |
| <note tip>Can be combined with [[#manager_and_subordinates|subordinates evaluator]] to enable update attributes for managers only.</note> |
| |
| <note important>This configuration is **required from version 10.3.0** for update basic identity attributes.</note> |
| |
==== Settings of permissions of identity form (extended) attribute values ==== | ==== Settings of permissions of identity form (extended) attribute values ==== |