Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:security:dev:authorization [2020/05/15 08:32]
tomiskar 		devel:documentation:security:dev:authorization [2020/07/02 11:37]
tomiskar [SelfIdentityRoleEvaluator]
Line 379: Line 379:
 Permissions to identity roles. User can manipulate with his own roles. With basic settings for user you dont need this, beacause exist evaluator **IdentityRoleByIdentityEvaluator** and every identity can read all roles for identities that can read. Permissions to identity roles. User can manipulate with his own roles. With basic settings for user you dont need this, beacause exist evaluator **IdentityRoleByIdentityEvaluator** and every identity can read all roles for identities that can read.
  
 +==== SelfContractEvaluator ====
 +
 +@since 10.4.0
 +
 +Permissions to contracts. User can manipulate with his own contracts.
 ==== Universal request agenda (IdmRequest - evaluators) ==== ==== Universal request agenda (IdmRequest - evaluators) ====
  
Line 407: Line 412:
  
 If we want to read an identity profile including its assigned roles and IR, to enable password change and to request roles, it is possible to set the default role authorization policies as follows: If we want to read an identity profile including its assigned roles and IR, to enable password change and to request roles, it is possible to set the default role authorization policies as follows:
-  * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, reading, change password, manage authorizations | SelfIdentityEvaluator+  * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, reading, Change password, Change roles | SelfIdentityEvaluator
   * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator   * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator
   * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12)   * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12)
Line 433: Line 438:
     * Code lists (IdmCodeList) | Displaying in autocomplete, selections | BasePermissionEvaluator     * Code lists (IdmCodeList) | Displaying in autocomplete, selections | BasePermissionEvaluator
     * Code lists - items (IdmCodeListItem) | Displaying in autocomplete, selections | [[#codelistitembycodelistevaluator|CodeListItemByCodeListEvaluator]] or [[#codelistitembycodeevaluator|CodeListItemByCodeEvaluator]]     * Code lists - items (IdmCodeListItem) | Displaying in autocomplete, selections | [[#codelistitembycodelistevaluator|CodeListItemByCodeListEvaluator]] or [[#codelistitembycodeevaluator|CodeListItemByCodeEvaluator]]
-  * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place.+  * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( Add also autocomplete permission to IdmAutomaticRoleAttribute (if you use automatic roles by attributes) and IdmRoleTreeNode (if you use automatic roles by organizations.).
   * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator   * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator
 +  * Permission to read and solve one's requests on virtual systems: Requests on virtual systems (VsRequest) | Administration | VsRequestByImplementerEvaluator ([[tutorial:adm:modules_vs#permissions]]). If you don't want to display the VS requests agenda to all your users, then we recommend setting this permission to some other role which you will assign only to the VS implementers.
  
 <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity ''UPDATE''. But exits own permissions for each operation (''MANUALLYDISABLE'' or ''MANUALLYENABLE'')</note> <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity ''UPDATE''. But exits own permissions for each operation (''MANUALLYDISABLE'' or ''MANUALLYENABLE'')</note>
Line 444: Line 450:
 If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only:
   * **change** following **permissions** from the userRole:   * **change** following **permissions** from the userRole:
-    * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: Read** | **IdentityContractByIdentityEvaluator**+    * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: View in select box (autocomplete), Read, Change roles** | **IdentityContractByIdentityEvaluator**
   * **add** following **permissions** to the userRole:   * **add** following **permissions** to the userRole:
     * Users (IdmIdentity) | View in select box (autocomplete), Read | **SubordinatesEvaluator**     * Users (IdmIdentity) | View in select box (autocomplete), Read | **SubordinatesEvaluator**
Line 507: Line 513:
  
 If we want to enable for currently logged identity read / update for some form attributes (e.g ''phone'') from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows: If we want to enable for currently logged identity read / update for some form attributes (e.g ''phone'') from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows:
-  * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for identities) identifier+  * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for identities) identifier
   * Permission to update ''phone'' attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition same as above, enter ''phone'' as attributes   * Permission to update ''phone'' attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition same as above, enter ''phone'' as attributes
-  * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will don'get permissions to edit other users.+  * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will not get permissions to edit other users.
  
 ==== Settings of permissions of contract form (extended) attribute values ==== ==== Settings of permissions of contract form (extended) attribute values ====
  • by koulaj