Differences

This shows you the differences between two versions of the page.

--- devel:documentation:security:dev:authorization [2020/04/22 11:21]
tomiskar
+++ devel:documentation:security:dev:authorization [2020/04/23 11:37]
tomiskar
@@ Line 121: / Line 121: @@
 Gives currently logged user a permission to work with his own identity.
+==== IdentityByFormProjectionEvaluator ====
+@since 10.3.0
+A permission for identities by user type.
+=== Parameters ===
+  * **User type** (''form-projection'') - Add permission to selected user type or to default type (user without type is specified).
 ==== SubordinatesEvaluator ====
@@ Line 236: / Line 245: @@
 Gives a permission for code list items according to the permission for the code list => e.g. If I have a permission to read a code list, I have a permission to read its items.
+==== CodeListItemByCodeEvaluator ====
+@since 10.3.0
+Gives a permission for code list items according to the permission for the code list and item codes.
+=== Parameters ===
+  * **Code list** (''codelist'') - Items from selected code list.
+  * **Items** (''item-codes'') - Add permission to code list items by their codes. All items from selected code list will be used as default (use comma as separator - more item codes are supported).
 ==== VsRequestByImplementerEvaluator ====
@@ Line 395: / Line 414: @@
     * Connected systems | Displaying in autocomplete, selections | BasePermissionEvaluator
     * Scheduler (IdmLongRunningTask) | Displaying in autocomplete, selections | BasePermissionEvaluator
+    * Code lists (IdmCodeList) | Displaying in autocomplete, selections | BasePermissionEvaluator
+    * Code lists - items (IdmCodeListItem) | Displaying in autocomplete, selections | [[#codelistitembycodelistevaluator|CodeListItemByCodeListEvaluator]] or [[#codelistitembycodeevaluator|CodeListItemByCodeEvaluator]]
   * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place.
   * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator
@@ Line 460: / Line 481: @@
 ==== Settings of permissions of identity basic attributes ====
-If we want to enable for currently logged identity update all basic identity attributes (e.g. login, first name, surname), the authorization policies can be set as follows:
+If we want to enable for currently logged identity change all basic identity attributes (e.g. login, first name, surname), the authorization policies can be set as follows:
-  * Permission to update identity: Users (IdmIdentity) | Update, Change phone, Change personal number, Change note, Change login, Change user type (projection), Change email, Change first name, surname and titles | BasePermissionEvaluator
+  * Permission to update identity and attributes: Users (IdmIdentity) | **Update**, Change phone, Change personal number, Change note, Change login, Change user type (projection), Change email, Change first name, surname and titles | BasePermissionEvaluator
+<note tip>Can be combined with [[#manager_and_subordinates|subordinates evaluator]] to enable update attributes for managers only. When identity is created, then **CREATE** permission is needed only - additional permissions are evaluated for **UPDATE** identity only.</note>
-<note tip>Can be combined with subordinates evaluation to enable update attributes for managers only.</note>
+<note important>This configuration is **required from version 10.3.0** for update basic identity attributes.</note>
 ==== Settings of permissions of identity form (extended) attribute values ====