Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:security:dev:authorization [2020/04/23 09:59]
tomiskar [Default settings of permissions for an identity profile] 		devel:documentation:security:dev:authorization [2020/05/07 06:18]
kopro
Line 105: Line 105:
  
 Serves as a parent for evaluating permissions according to the derived objects - for example, I have a permission for the assigned role if I have a permission for the identity, etc. See the children of this abstract class below (''IdentityContractByIdentityEvaluator''). Serves as a parent for evaluating permissions according to the derived objects - for example, I have a permission for the assigned role if I have a permission for the identity, etc. See the children of this abstract class below (''IdentityContractByIdentityEvaluator'').
 +
 +=== Parameters ===
 +  * **Use permissions** (''include-permissions'') - Only selected permissions can be used from owner permissions transitively. Configuration property has to be used in evaluator configuration properties (in evaluator form attributes) and ''getPredicate method'' has to check evaluated permission is selected (see ''IdentityContractByIdentityEvaluator'' for example).
  
 ==== BasePermissionEvaluator ==== ==== BasePermissionEvaluator ====
Line 121: Line 124:
  
 Gives currently logged user a permission to work with his own identity.  Gives currently logged user a permission to work with his own identity. 
 +
 +==== IdentityByFormProjectionEvaluator ====
 +
 +@since 10.3.0
 +
 +A permission for identities by user type.
 +
 +=== Parameters ===
 +  * **User type** (''form-projection'') - Add permission to selected user type or to default type (user without type is specified).
  
 ==== SubordinatesEvaluator ==== ==== SubordinatesEvaluator ====
Line 136: Line 148:
 Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. ''AbstractTransitiveEvaluator'' is used here. Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. ''AbstractTransitiveEvaluator'' is used here.
  
-<note warning>Prevent to combine with ''IdentityByContractEvaluator'' - configure one of them. ''IdentityByContractEvaluator'' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note>+=== Parameters === 
 +  * **Use permissions** (''include-permissions'') - Only selected permissions can be used from identity permissions transitively. 
 + 
 +<note warning>Prevent to combine with ''IdentityByContractEvaluator'' - configure one of them.</note>
  
 ==== IdentityByContractEvaluator ==== ==== IdentityByContractEvaluator ====
Line 144: Line 159:
 Gives a permission for identity according to the permission for identity contract => e.g. if I have a permission to read an contract, I have a permission to read its identity. Gives a permission for identity according to the permission for identity contract => e.g. if I have a permission to read an contract, I have a permission to read its identity.
  
-<note warning>Prevent to combine with ''IdentityContractByIdentityEvaluator '' - configure one of them. ''IdentityByContractEvaluator'' is more flexibile - contracts can be secured by manager (by tree structure or by guarantee). If ''IdentityRoleByContractEvaluator'' is configured too, then logged identity can see / edit roles assigned to managed contracts only.</note>+<note warning>Prevent to combine with ''IdentityContractByIdentityEvaluator '' - configure one of them.</note>
  
 ==== ContractGuaranteeByIdentityContractEvaluator ==== ==== ContractGuaranteeByIdentityContractEvaluator ====
Line 367: Line 382:
  
 [[devel:documentation:roles:dev:universal_requests#permissions| Universal request agenda]] [[devel:documentation:roles:dev:universal_requests#permissions| Universal request agenda]]
 +
 +==== RoleByRoleCatalogueEvaluator ====
 +@since 10.3.0 for **LTS version** is available similar evaluator in [[devel:documentation:modules_extras:role_evaluator_by_role_catalogue|extras module]].
 +
 +Documentation for the evaluator is available [[devel:documentation:security:dev:authorization:role_evaluator_by_role_catalogue|there]].
 +
 ===== Default policies ===== ===== Default policies =====
  
Line 417: Line 438:
  
 If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only:
-  * **remove** following **permissions** from the userRole: +  * **change** following **permissions** from the userRole: 
-    * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | | **IdentityContractByIdentityEvaluator**+    * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: Read** | **IdentityContractByIdentityEvaluator**
   * **add** following **permissions** to the userRole:   * **add** following **permissions** to the userRole:
     * Users (IdmIdentity) | View in select box (autocomplete), Read | **SubordinatesEvaluator**     * Users (IdmIdentity) | View in select box (autocomplete), Read | **SubordinatesEvaluator**
     * Contracts (IdmIdentityContract) | View in select box (autocomplete), Read, Change roles | **SubordinateContractEvaluator**     * Contracts (IdmIdentityContract) | View in select box (autocomplete), Read, Change roles | **SubordinateContractEvaluator**
-    * Users (IdmIdentity) | - | **IdentityByContractEvaluator** 
     * Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator**     * Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator**
  
  • by koulaj