Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:security:dev:authorization [2020/04/22 11:26] tomiskar [Settings of permissions of identity basic attributes] |
devel:documentation:security:dev:authorization [2020/05/18 12:47] kotynekv [Settings of permissions of identity form (extended) attribute values] fix a typo |
||
---|---|---|---|
Line 105: | Line 105: | ||
Serves as a parent for evaluating permissions according to the derived objects - for example, I have a permission for the assigned role if I have a permission for the identity, etc. See the children of this abstract class below ('' | Serves as a parent for evaluating permissions according to the derived objects - for example, I have a permission for the assigned role if I have a permission for the identity, etc. See the children of this abstract class below ('' | ||
+ | |||
+ | === Parameters === | ||
+ | * **Use permissions** ('' | ||
==== BasePermissionEvaluator ==== | ==== BasePermissionEvaluator ==== | ||
Line 121: | Line 124: | ||
Gives currently logged user a permission to work with his own identity. | Gives currently logged user a permission to work with his own identity. | ||
+ | |||
+ | ==== IdentityByFormProjectionEvaluator ==== | ||
+ | |||
+ | @since 10.3.0 | ||
+ | |||
+ | A permission for identities by user type. | ||
+ | |||
+ | === Parameters === | ||
+ | * **User type** ('' | ||
==== SubordinatesEvaluator ==== | ==== SubordinatesEvaluator ==== | ||
Line 136: | Line 148: | ||
Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. '' | Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. '' | ||
- | <note warning> | + | === Parameters === |
+ | * **Use permissions** ('' | ||
+ | |||
+ | <note warning> | ||
==== IdentityByContractEvaluator ==== | ==== IdentityByContractEvaluator ==== | ||
Line 144: | Line 159: | ||
Gives a permission for identity according to the permission for identity contract => e.g. if I have a permission to read an contract, I have a permission to read its identity. | Gives a permission for identity according to the permission for identity contract => e.g. if I have a permission to read an contract, I have a permission to read its identity. | ||
- | <note warning> | + | <note warning> |
==== ContractGuaranteeByIdentityContractEvaluator ==== | ==== ContractGuaranteeByIdentityContractEvaluator ==== | ||
Line 236: | Line 251: | ||
Gives a permission for code list items according to the permission for the code list => e.g. If I have a permission to read a code list, I have a permission to read its items. | Gives a permission for code list items according to the permission for the code list => e.g. If I have a permission to read a code list, I have a permission to read its items. | ||
+ | |||
+ | ==== CodeListItemByCodeEvaluator ==== | ||
+ | |||
+ | @since 10.3.0 | ||
+ | |||
+ | Gives a permission for code list items according to the permission for the code list and item codes. | ||
+ | |||
+ | === Parameters === | ||
+ | * **Code list** ('' | ||
+ | * **Items** ('' | ||
==== VsRequestByImplementerEvaluator ==== | ==== VsRequestByImplementerEvaluator ==== | ||
Line 357: | Line 382: | ||
[[devel: | [[devel: | ||
+ | |||
+ | ==== RoleByRoleCatalogueEvaluator ==== | ||
+ | @since 10.3.0 for **LTS version** is available similar evaluator in [[devel: | ||
+ | |||
+ | Documentation for the evaluator is available [[devel: | ||
+ | |||
+ | ==== IdentityByTreeNodeEvaluator ==== | ||
+ | @since 10.3.0 for **LTS version** is available similar evaluator in [[devel: | ||
+ | |||
+ | Documentation for the evaluator is available [[devel: | ||
+ | |||
===== Default policies ===== | ===== Default policies ===== | ||
Line 373: | Line 409: | ||
* Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, | * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, | ||
* Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | ||
- | * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator | + | * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator |
- | * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12) | + | * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested |
* Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator | ||
* Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | ||
Line 395: | Line 431: | ||
* Connected systems | Displaying in autocomplete, | * Connected systems | Displaying in autocomplete, | ||
* Scheduler (IdmLongRunningTask) | Displaying in autocomplete, | * Scheduler (IdmLongRunningTask) | Displaying in autocomplete, | ||
+ | * Code lists (IdmCodeList) | Displaying in autocomplete, | ||
+ | * Code lists - items (IdmCodeListItem) | Displaying in autocomplete, | ||
* Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place. | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place. | ||
* Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, | * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, | ||
Line 405: | Line 443: | ||
If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: | If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: | ||
- | * **remove** following **permissions** from the userRole: | + | * **change** following **permissions** from the userRole: |
- | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | **IdentityContractByIdentityEvaluator** | + | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: |
* **add** following **permissions** to the userRole: | * **add** following **permissions** to the userRole: | ||
* Users (IdmIdentity) | View in select box (autocomplete), | * Users (IdmIdentity) | View in select box (autocomplete), | ||
* Contracts (IdmIdentityContract) | View in select box (autocomplete), | * Contracts (IdmIdentityContract) | View in select box (autocomplete), | ||
- | * Users (IdmIdentity) | - | **IdentityByContractEvaluator** | ||
* Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator** | * Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator** | ||
Line 463: | Line 500: | ||
* Permission to update identity and attributes: Users (IdmIdentity) | **Update**, Change phone, Change personal number, Change note, Change login, Change user type (projection), | * Permission to update identity and attributes: Users (IdmIdentity) | **Update**, Change phone, Change personal number, Change note, Change login, Change user type (projection), | ||
- | <note tip>Can be combined with [[# | + | <note tip>Can be combined with [[# |
<note important> | <note important> | ||
Line 470: | Line 507: | ||
If we want to enable for currently logged identity read / update for some form attributes (e.g '' | If we want to enable for currently logged identity read / update for some form attributes (e.g '' | ||
- | * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, | + | * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, |
* Permission to update '' | * Permission to update '' | ||
* and check logged user only checkbox, if currently logged user can edit just itself. Logged user will don't get permissions to edit other users. | * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will don't get permissions to edit other users. |