Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:security:dev:authorization [2020/05/04 11:43] tomiskar |
devel:documentation:security:dev:authorization [2020/07/10 08:35] svandav [Default settings of permissions for an identity profile] |
||
---|---|---|---|
Line 41: | Line 41: | ||
<note important> | <note important> | ||
* '' | * '' | ||
+ | * **'' | ||
+ | * **'' | ||
* '' | * '' | ||
* '' | * '' | ||
- | * '' | + | * '' |
- | * '' | + | |
- | * '' | + | |
- | * '' | + | |
* '' | * '' | ||
* '' | * '' | ||
Line 105: | Line 104: | ||
Serves as a parent for evaluating permissions according to the derived objects - for example, I have a permission for the assigned role if I have a permission for the identity, etc. See the children of this abstract class below ('' | Serves as a parent for evaluating permissions according to the derived objects - for example, I have a permission for the assigned role if I have a permission for the identity, etc. See the children of this abstract class below ('' | ||
+ | |||
+ | === Parameters === | ||
+ | * **Use permissions** ('' | ||
==== BasePermissionEvaluator ==== | ==== BasePermissionEvaluator ==== | ||
Line 144: | Line 146: | ||
Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. '' | Gives a permission for industrial relations according to the permission for identity => e.g. if I have a permission to read an identity, I have a permission to read its IR. '' | ||
+ | |||
+ | === Parameters === | ||
+ | * **Use permissions** ('' | ||
<note warning> | <note warning> | ||
Line 373: | Line 378: | ||
Permissions to identity roles. User can manipulate with his own roles. With basic settings for user you dont need this, beacause exist evaluator **IdentityRoleByIdentityEvaluator** and every identity can read all roles for identities that can read. | Permissions to identity roles. User can manipulate with his own roles. With basic settings for user you dont need this, beacause exist evaluator **IdentityRoleByIdentityEvaluator** and every identity can read all roles for identities that can read. | ||
+ | ==== SelfContractEvaluator ==== | ||
+ | |||
+ | @since 10.4.0 | ||
+ | |||
+ | Permissions to contracts. User can manipulate with his own contracts. | ||
==== Universal request agenda (IdmRequest - evaluators) ==== | ==== Universal request agenda (IdmRequest - evaluators) ==== | ||
[[devel: | [[devel: | ||
+ | |||
+ | ==== RoleByRoleCatalogueEvaluator ==== | ||
+ | @since 10.3.0 for **LTS version** is available similar evaluator in [[devel: | ||
+ | |||
+ | Documentation for the evaluator is available [[devel: | ||
+ | |||
+ | ==== IdentityByTreeNodeEvaluator ==== | ||
+ | @since 10.3.0 for **LTS version** is available similar evaluator in [[devel: | ||
+ | |||
+ | Documentation for the evaluator is available [[devel: | ||
+ | |||
===== Default policies ===== | ===== Default policies ===== | ||
Line 390: | Line 411: | ||
If we want to read an identity profile including its assigned roles and IR, to enable password change and to request roles, it is possible to set the default role authorization policies as follows: | If we want to read an identity profile including its assigned roles and IR, to enable password change and to request roles, it is possible to set the default role authorization policies as follows: | ||
- | * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, | + | * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, |
* Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | ||
- | * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator | + | * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator |
- | * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12) | + | * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested |
* Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator | ||
* Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | ||
Line 416: | Line 437: | ||
* Code lists (IdmCodeList) | Displaying in autocomplete, | * Code lists (IdmCodeList) | Displaying in autocomplete, | ||
* Code lists - items (IdmCodeListItem) | Displaying in autocomplete, | * Code lists - items (IdmCodeListItem) | Displaying in autocomplete, | ||
- | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | + | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( Add also autocomplete permission to IdmAutomaticRoleAttribute |
* Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, | * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, | ||
+ | * Permission to read and solve one's requests on virtual systems: Requests on virtual systems (VsRequest) | Administration | VsRequestByImplementerEvaluator ([[tutorial: | ||
<note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity '' | <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity '' | ||
Line 427: | Line 449: | ||
If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: | If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: | ||
* **change** following **permissions** from the userRole: | * **change** following **permissions** from the userRole: | ||
- | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: | + | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: |
* **add** following **permissions** to the userRole: | * **add** following **permissions** to the userRole: | ||
* Users (IdmIdentity) | View in select box (autocomplete), | * Users (IdmIdentity) | View in select box (autocomplete), | ||
Line 490: | Line 512: | ||
If we want to enable for currently logged identity read / update for some form attributes (e.g '' | If we want to enable for currently logged identity read / update for some form attributes (e.g '' | ||
- | * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, | + | * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, |
* Permission to update '' | * Permission to update '' | ||
- | * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will don' | + | * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will not get permissions to edit other users. |
==== Settings of permissions of contract form (extended) attribute values ==== | ==== Settings of permissions of contract form (extended) attribute values ==== |