Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:security:dev:authorization [2020/07/07 09:10] tomiskar [Base interfaces and classes] |
devel:documentation:security:dev:authorization [2020/08/12 10:07] tomiskar [Default settings of permissions for an identity profile] |
||
---|---|---|---|
Line 46: | Line 46: | ||
* '' | * '' | ||
* '' | * '' | ||
- | * '' | + | * '' |
* '' | * '' | ||
* loads all the active policies according to the assigned user roles | * loads all the active policies according to the assigned user roles | ||
Line 94: | Line 94: | ||
* '' | * '' | ||
+ | |||
+ | ===== Cache ===== | ||
+ | |||
+ | Cache is used for evaluating authorization policies and permissions by '' | ||
+ | |||
+ | * **'' | ||
+ | * **'' | ||
===== Base authorization evaluators ===== | ===== Base authorization evaluators ===== | ||
Line 415: | Line 422: | ||
* Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12) | * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12) | ||
* Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested only:true | IdentityRoleByRoleEvaluator | * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested only:true | IdentityRoleByRoleEvaluator | ||
- | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator | + | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: |
* Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | ||
* Permission to read guarantees of IR: Industrial relation guarantees (IdmContractGuarantee) | - | ContractGuaranteeByIdentityContractEvaluator | * Permission to read guarantees of IR: Industrial relation guarantees (IdmContractGuarantee) | - | ContractGuaranteeByIdentityContractEvaluator | ||
Line 424: | Line 431: | ||
* Permission to read and change indetity profile: Identity profile (IdmProfile) | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0) | * Permission to read and change indetity profile: Identity profile (IdmProfile) | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0) | ||
* Enabling the autocomplete for entities: | * Enabling the autocomplete for entities: | ||
- | * User profile (picture) (IdmProfile) | Displaying in autocomplete, | ||
* Users (IdmIdentity) | Displaying in autocomplete, | * Users (IdmIdentity) | Displaying in autocomplete, | ||
+ | * User profile (picture) (IdmProfile) | Displaying in autocomplete, | ||
* Role (IdmRole) | Displaying in autocomplete, | * Role (IdmRole) | Displaying in autocomplete, | ||
* Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, | * Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, | ||
Line 437: | Line 444: | ||
* Code lists (IdmCodeList) | Displaying in autocomplete, | * Code lists (IdmCodeList) | Displaying in autocomplete, | ||
* Code lists - items (IdmCodeListItem) | Displaying in autocomplete, | * Code lists - items (IdmCodeListItem) | Displaying in autocomplete, | ||
- | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | + | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update | AutomaticRoleRequestByWfInvolvedIdentityEvaluator. For create new or delete an automatic role request add another evaluator |
- | * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, | + | |
* Permission to read and solve one's requests on virtual systems: Requests on virtual systems (VsRequest) | Administration | VsRequestByImplementerEvaluator ([[tutorial: | * Permission to read and solve one's requests on virtual systems: Requests on virtual systems (VsRequest) | Administration | VsRequestByImplementerEvaluator ([[tutorial: | ||
Line 448: | Line 454: | ||
If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: | If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: | ||
- | * **change** following **permissions** from the userRole: | ||
- | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: | ||
* **add** following **permissions** to the userRole: | * **add** following **permissions** to the userRole: | ||
* Users (IdmIdentity) | View in select box (autocomplete), | * Users (IdmIdentity) | View in select box (autocomplete), | ||
Line 455: | Line 459: | ||
* Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator** | * Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator** | ||
- | <note tip>This configuration is available from version 10.3.0. If you are using some older version, | + | <note tip>This configuration is available from version 10.3.0. If you are using some older version, add one permission instead: |
* Users (IdmIdentity) | View in select box (autocomplete), | * Users (IdmIdentity) | View in select box (autocomplete), | ||