Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:security:dev:authorization [2020/05/07 17:08]
kopro 		devel:documentation:security:dev:authorization [2020/06/22 08:19]
tomiskar [Default settings of permissions for an identity profile]
Line 407: Line 407:
  
 If we want to read an identity profile including its assigned roles and IR, to enable password change and to request roles, it is possible to set the default role authorization policies as follows: If we want to read an identity profile including its assigned roles and IR, to enable password change and to request roles, it is possible to set the default role authorization policies as follows:
-  * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, reading, change password, manage authorizations | SelfIdentityEvaluator+  * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, reading, Change password, Change roles | SelfIdentityEvaluator
   * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator   * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator
-  * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator +  * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12) 
-  * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12)+  * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested only:true IdentityRoleByRoleEvaluator
   * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator   * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator
   * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator   * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator
Line 444: Line 444:
 If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only:
   * **change** following **permissions** from the userRole:   * **change** following **permissions** from the userRole:
-    * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: Read** | **IdentityContractByIdentityEvaluator**+    * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: View in select box (autocomplete), Read, Change roles** | **IdentityContractByIdentityEvaluator**
   * **add** following **permissions** to the userRole:   * **add** following **permissions** to the userRole:
     * Users (IdmIdentity) | View in select box (autocomplete), Read | **SubordinatesEvaluator**     * Users (IdmIdentity) | View in select box (autocomplete), Read | **SubordinatesEvaluator**
Line 507: Line 507:
  
 If we want to enable for currently logged identity read / update for some form attributes (e.g ''phone'') from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows: If we want to enable for currently logged identity read / update for some form attributes (e.g ''phone'') from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows:
-  * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for identities) identifier+  * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for identities) identifier
   * Permission to update ''phone'' attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition same as above, enter ''phone'' as attributes   * Permission to update ''phone'' attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition same as above, enter ''phone'' as attributes
-  * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will don'get permissions to edit other users.+  * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will not get permissions to edit other users.
  
 ==== Settings of permissions of contract form (extended) attribute values ==== ==== Settings of permissions of contract form (extended) attribute values ====
  • by koulaj