Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
devel:documentation:security:dev:authorization [2020/08/12 10:07] tomiskar [Default settings of permissions for an identity profile] |
devel:documentation:security:dev:authorization [2020/08/25 10:44] tomiskar [Default policies] |
||
|---|---|---|---|
| Line 81: | Line 81: | ||
| * '' | * '' | ||
| * '' | * '' | ||
| + | * '' | ||
| ==== Role==== | ==== Role==== | ||
| Line 409: | Line 410: | ||
| - | < | + | < |
| ===== Examples of configuration ===== | ===== Examples of configuration ===== | ||
| Line 421: | Line 422: | ||
| * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | ||
| * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12) | * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12) | ||
| - | * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested only:true | IdentityRoleByRoleEvaluator | + | * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | **Can be requested only: true** | IdentityRoleByRoleEvaluator |
| - | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: | + | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: |
| * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | ||
| * Permission to read guarantees of IR: Industrial relation guarantees (IdmContractGuarantee) | - | ContractGuaranteeByIdentityContractEvaluator | * Permission to read guarantees of IR: Industrial relation guarantees (IdmContractGuarantee) | - | ContractGuaranteeByIdentityContractEvaluator | ||
| Line 444: | Line 445: | ||
| * Code lists (IdmCodeList) | Displaying in autocomplete, | * Code lists (IdmCodeList) | Displaying in autocomplete, | ||
| * Code lists - items (IdmCodeListItem) | Displaying in autocomplete, | * Code lists - items (IdmCodeListItem) | Displaying in autocomplete, | ||
| - | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update | AutomaticRoleRequestByWfInvolvedIdentityEvaluator. For create new or delete an automatic role request add another evaluator (for example BasePermissionEvaluator to choosed users). Add also autocomplete permission to IdmAutomaticRoleAttribute (if you use automatic roles by attributes) and IdmRoleTreeNode (if you use automatic roles by organizations.). | ||
| * Permission to read and solve one's requests on virtual systems: Requests on virtual systems (VsRequest) | Administration | VsRequestByImplementerEvaluator ([[tutorial: | * Permission to read and solve one's requests on virtual systems: Requests on virtual systems (VsRequest) | Administration | VsRequestByImplementerEvaluator ([[tutorial: | ||
| Line 474: | Line 474: | ||
| * Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator | * Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator | ||
| + | ==== Settings of permissions for virtual system implementer | ||
| + | |||
| + | The virtual system implementer (~approver) role should have following additional permissions: | ||
| + | * Permission to admin virtual system requests: Requests on virtual systems (VsRequest ) | Administration (all) | VsRequestByImplementerEvaluator | ||
| ==== Default settings of permissions for a role detail ==== | ==== Default settings of permissions for a role detail ==== | ||
| Line 482: | Line 486: | ||
| * Role authorizers - by role (IdmRoleGuaranteeRole) | - | RoleGuaranteeRoleByRoleEvaluator | * Role authorizers - by role (IdmRoleGuaranteeRole) | - | RoleGuaranteeRoleByRoleEvaluator | ||
| * Permission to read automatic roles (tree) by role: Automatic roles (IdmRoleTreeNode) | - | RoleTreeNodeByRoleEvaluator | * Permission to read automatic roles (tree) by role: Automatic roles (IdmRoleTreeNode) | - | RoleTreeNodeByRoleEvaluator | ||
| + | * Permission to autocomplete automatic roles (tree): Automatic roles (IdmRoleTreeNode) | Displaying in autocomplete, | ||
| * Permission to read automatic roles (attributes) by role: | * Permission to read automatic roles (attributes) by role: | ||
| - | * Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Read | BasePermissionEvaluator | + | * Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Displaying in autocomplete, |
| * Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule)| Read | BasePermissionEvaluator | * Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule)| Read | BasePermissionEvaluator | ||
| * Permissions to read request for automatic roles (both): | * Permissions to read request for automatic roles (both): | ||
| * Requests for automatic roles (IdmAutomaticRoleRequest) | Read | BasePermissionEvaluator | * Requests for automatic roles (IdmAutomaticRoleRequest) | Read | BasePermissionEvaluator | ||
| * Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | - | AutomaticRoleRuleRequestByRequestEvaluator | * Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | - | AutomaticRoleRuleRequestByRequestEvaluator | ||
| + | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update | AutomaticRoleRequestByWfInvolvedIdentityEvaluator. For create new or delete an automatic role request add another evaluator (for example BasePermissionEvaluator to choosed users). Add also autocomplete permission to IdmAutomaticRoleAttribute (if you use automatic roles by attributes) and IdmRoleTreeNode (if you use automatic roles by organizations.). | ||
| * Permission to read permissions by role: Permission (IdmAuthorizationPolicy) | - | AuthorizationPolicyByRoleEvaluator | * Permission to read permissions by role: Permission (IdmAuthorizationPolicy) | - | AuthorizationPolicyByRoleEvaluator | ||
| * Permission to read accounts: Accounts in system | Read | BasePermissionEvaluator | * Permission to read accounts: Accounts in system | Read | BasePermissionEvaluator | ||
| Line 495: | Line 501: | ||
| * Business roles definition (IdmRoleComposition) | - | [[# | * Business roles definition (IdmRoleComposition) | - | [[# | ||
| * Business roles definition (IdmRoleComposition) | - | [[# | * Business roles definition (IdmRoleComposition) | - | [[# | ||
| + | * Permission to autocomplete form definitions: | ||
| * Role attributes (subdefnition) (IdmRoleFormAttribute) | - | RoleFormAttributeByRoleEvaluator | * Role attributes (subdefnition) (IdmRoleFormAttribute) | - | RoleFormAttributeByRoleEvaluator | ||