Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:security:dev:authorization [2020/05/18 12:47] kotynekv [Settings of permissions of identity form (extended) attribute values] fix a typo |
devel:documentation:security:dev:authorization [2020/08/25 06:48] tomiskar |
||
---|---|---|---|
Line 41: | Line 41: | ||
<note important> | <note important> | ||
* '' | * '' | ||
+ | * **'' | ||
+ | * **'' | ||
* '' | * '' | ||
* '' | * '' | ||
- | * '' | + | * '' |
- | * '' | + | * '' |
- | * '' | + | |
- | * '' | + | |
- | * '' | + | |
* '' | * '' | ||
* loads all the active policies according to the assigned user roles | * loads all the active policies according to the assigned user roles | ||
Line 82: | Line 81: | ||
* '' | * '' | ||
* '' | * '' | ||
+ | * '' | ||
==== Role==== | ==== Role==== | ||
Line 95: | Line 95: | ||
* '' | * '' | ||
+ | |||
+ | ===== Cache ===== | ||
+ | |||
+ | Cache is used for evaluating authorization policies and permissions by '' | ||
+ | |||
+ | * **'' | ||
+ | * **'' | ||
===== Base authorization evaluators ===== | ===== Base authorization evaluators ===== | ||
Line 379: | Line 386: | ||
Permissions to identity roles. User can manipulate with his own roles. With basic settings for user you dont need this, beacause exist evaluator **IdentityRoleByIdentityEvaluator** and every identity can read all roles for identities that can read. | Permissions to identity roles. User can manipulate with his own roles. With basic settings for user you dont need this, beacause exist evaluator **IdentityRoleByIdentityEvaluator** and every identity can read all roles for identities that can read. | ||
+ | ==== SelfContractEvaluator ==== | ||
+ | |||
+ | @since 10.4.0 | ||
+ | |||
+ | Permissions to contracts. User can manipulate with his own contracts. | ||
==== Universal request agenda (IdmRequest - evaluators) ==== | ==== Universal request agenda (IdmRequest - evaluators) ==== | ||
Line 407: | Line 419: | ||
If we want to read an identity profile including its assigned roles and IR, to enable password change and to request roles, it is possible to set the default role authorization policies as follows: | If we want to read an identity profile including its assigned roles and IR, to enable password change and to request roles, it is possible to set the default role authorization policies as follows: | ||
- | * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, | + | * Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, |
* Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | ||
* Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12) | * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12) | ||
- | * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested only:true | IdentityRoleByRoleEvaluator | + | * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | **Can be requested only: true** | IdentityRoleByRoleEvaluator |
- | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator | + | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: |
* Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | ||
* Permission to read guarantees of IR: Industrial relation guarantees (IdmContractGuarantee) | - | ContractGuaranteeByIdentityContractEvaluator | * Permission to read guarantees of IR: Industrial relation guarantees (IdmContractGuarantee) | - | ContractGuaranteeByIdentityContractEvaluator | ||
Line 420: | Line 432: | ||
* Permission to read and change indetity profile: Identity profile (IdmProfile) | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0) | * Permission to read and change indetity profile: Identity profile (IdmProfile) | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0) | ||
* Enabling the autocomplete for entities: | * Enabling the autocomplete for entities: | ||
- | * User profile (picture) (IdmProfile) | Displaying in autocomplete, | ||
* Users (IdmIdentity) | Displaying in autocomplete, | * Users (IdmIdentity) | Displaying in autocomplete, | ||
+ | * User profile (picture) (IdmProfile) | Displaying in autocomplete, | ||
* Role (IdmRole) | Displaying in autocomplete, | * Role (IdmRole) | Displaying in autocomplete, | ||
* Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, | * Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, | ||
Line 433: | Line 445: | ||
* Code lists (IdmCodeList) | Displaying in autocomplete, | * Code lists (IdmCodeList) | Displaying in autocomplete, | ||
* Code lists - items (IdmCodeListItem) | Displaying in autocomplete, | * Code lists - items (IdmCodeListItem) | Displaying in autocomplete, | ||
- | * Permission to read automatic role requests | + | * Permission to read and solve one' |
- | * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, | + | |
<note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity '' | <note tip>From version 9.7.3 isn't feature manually disabled and manually enabled for user allowed by permission Identity '' | ||
Line 443: | Line 454: | ||
If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: | If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: | ||
- | * **change** following **permissions** from the userRole: | ||
- | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: | ||
* **add** following **permissions** to the userRole: | * **add** following **permissions** to the userRole: | ||
* Users (IdmIdentity) | View in select box (autocomplete), | * Users (IdmIdentity) | View in select box (autocomplete), | ||
Line 450: | Line 459: | ||
* Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator** | * Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator** | ||
- | <note tip>This configuration is available from version 10.3.0. If you are using some older version, | + | <note tip>This configuration is available from version 10.3.0. If you are using some older version, add one permission instead: |
* Users (IdmIdentity) | View in select box (autocomplete), | * Users (IdmIdentity) | View in select box (autocomplete), | ||
Line 465: | Line 474: | ||
* Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator | * Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator | ||
+ | ==== Settings of permissions for virtual system implementer | ||
+ | |||
+ | The virtual system implementer (~approver) role should have following additional permissions: | ||
+ | * Permission to admin virtual system requests: Requests on virtual systems (VsRequest ) | Administration (all) | VsRequestByImplementerEvaluator | ||
==== Default settings of permissions for a role detail ==== | ==== Default settings of permissions for a role detail ==== | ||
Line 473: | Line 486: | ||
* Role authorizers - by role (IdmRoleGuaranteeRole) | - | RoleGuaranteeRoleByRoleEvaluator | * Role authorizers - by role (IdmRoleGuaranteeRole) | - | RoleGuaranteeRoleByRoleEvaluator | ||
* Permission to read automatic roles (tree) by role: Automatic roles (IdmRoleTreeNode) | - | RoleTreeNodeByRoleEvaluator | * Permission to read automatic roles (tree) by role: Automatic roles (IdmRoleTreeNode) | - | RoleTreeNodeByRoleEvaluator | ||
+ | * Permission to autocomplete automatic roles (tree): Automatic roles (IdmRoleTreeNode) | Displaying in autocomplete, | ||
* Permission to read automatic roles (attributes) by role: | * Permission to read automatic roles (attributes) by role: | ||
- | * Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Read | BasePermissionEvaluator | + | * Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Displaying in autocomplete, |
* Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule)| Read | BasePermissionEvaluator | * Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule)| Read | BasePermissionEvaluator | ||
* Permissions to read request for automatic roles (both): | * Permissions to read request for automatic roles (both): | ||
* Requests for automatic roles (IdmAutomaticRoleRequest) | Read | BasePermissionEvaluator | * Requests for automatic roles (IdmAutomaticRoleRequest) | Read | BasePermissionEvaluator | ||
* Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | - | AutomaticRoleRuleRequestByRequestEvaluator | * Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | - | AutomaticRoleRuleRequestByRequestEvaluator | ||
+ | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update | AutomaticRoleRequestByWfInvolvedIdentityEvaluator. For create new or delete an automatic role request add another evaluator (for example BasePermissionEvaluator to choosed users). Add also autocomplete permission to IdmAutomaticRoleAttribute (if you use automatic roles by attributes) and IdmRoleTreeNode (if you use automatic roles by organizations.). | ||
* Permission to read permissions by role: Permission (IdmAuthorizationPolicy) | - | AuthorizationPolicyByRoleEvaluator | * Permission to read permissions by role: Permission (IdmAuthorizationPolicy) | - | AuthorizationPolicyByRoleEvaluator | ||
* Permission to read accounts: Accounts in system | Read | BasePermissionEvaluator | * Permission to read accounts: Accounts in system | Read | BasePermissionEvaluator | ||
Line 486: | Line 501: | ||
* Business roles definition (IdmRoleComposition) | - | [[# | * Business roles definition (IdmRoleComposition) | - | [[# | ||
* Business roles definition (IdmRoleComposition) | - | [[# | * Business roles definition (IdmRoleComposition) | - | [[# | ||
+ | * Permission to autocomplete form definitions: | ||
* Role attributes (subdefnition) (IdmRoleFormAttribute) | - | RoleFormAttributeByRoleEvaluator | * Role attributes (subdefnition) (IdmRoleFormAttribute) | - | RoleFormAttributeByRoleEvaluator | ||
Line 509: | Line 525: | ||
* Permission to autocomplete main form definition: Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, | * Permission to autocomplete main form definition: Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, | ||
* Permission to update '' | * Permission to update '' | ||
- | * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will don' | + | * and check logged user only checkbox, if currently logged user can edit just itself. Logged user will not get permissions to edit other users. |
==== Settings of permissions of contract form (extended) attribute values ==== | ==== Settings of permissions of contract form (extended) attribute values ==== |