Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:security:dev:authorization [2020/08/12 10:07] tomiskar [Default settings of permissions for an identity profile] |
devel:documentation:security:dev:authorization [2021/06/11 06:29] 127.0.0.1 external edit |
||
---|---|---|---|
Line 81: | Line 81: | ||
* '' | * '' | ||
* '' | * '' | ||
+ | * '' | ||
==== Role==== | ==== Role==== | ||
* '' | * '' | ||
+ | * '' | ||
==== Identity role==== | ==== Identity role==== | ||
Line 94: | Line 95: | ||
* '' | * '' | ||
+ | * '' | ||
===== Cache ===== | ===== Cache ===== | ||
Line 409: | Line 411: | ||
- | < | + | < |
===== Examples of configuration ===== | ===== Examples of configuration ===== | ||
Line 421: | Line 423: | ||
* Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator | ||
* Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12) | * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12) | ||
- | * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested only:true | IdentityRoleByRoleEvaluator | + | * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | **Can be requested only: true** | IdentityRoleByRoleEvaluator |
- | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: | + | * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: |
* Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator | ||
* Permission to read guarantees of IR: Industrial relation guarantees (IdmContractGuarantee) | - | ContractGuaranteeByIdentityContractEvaluator | * Permission to read guarantees of IR: Industrial relation guarantees (IdmContractGuarantee) | - | ContractGuaranteeByIdentityContractEvaluator | ||
Line 444: | Line 446: | ||
* Code lists (IdmCodeList) | Displaying in autocomplete, | * Code lists (IdmCodeList) | Displaying in autocomplete, | ||
* Code lists - items (IdmCodeListItem) | Displaying in autocomplete, | * Code lists - items (IdmCodeListItem) | Displaying in autocomplete, | ||
- | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update | AutomaticRoleRequestByWfInvolvedIdentityEvaluator. For create new or delete an automatic role request add another evaluator (for example BasePermissionEvaluator to choosed users). Add also autocomplete permission to IdmAutomaticRoleAttribute (if you use automatic roles by attributes) and IdmRoleTreeNode (if you use automatic roles by organizations.). | ||
* Permission to read and solve one's requests on virtual systems: Requests on virtual systems (VsRequest) | Administration | VsRequestByImplementerEvaluator ([[tutorial: | * Permission to read and solve one's requests on virtual systems: Requests on virtual systems (VsRequest) | Administration | VsRequestByImplementerEvaluator ([[tutorial: | ||
Line 464: | Line 465: | ||
**With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0. | **With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0. | ||
</ | </ | ||
+ | |||
+ | ==== Default settings of permissions for delegations ==== | ||
+ | |||
+ | Default settings of permissions for delegations are defined in the role ' | ||
+ | |||
+ | <note tip>You can see a detailed configuration of evaluators with comments here: | ||
+ | [[https:// | ||
+ | |InitDelegationRoleProcessor]]</ | ||
==== Settings of permissions for the Helpdesk role ==== | ==== Settings of permissions for the Helpdesk role ==== | ||
Line 474: | Line 483: | ||
* Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator | * Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator | ||
+ | ==== Settings of permissions for virtual system implementer | ||
+ | |||
+ | The virtual system implementer (~approver) role should have following additional permissions: | ||
+ | * Permission to admin virtual system requests: Requests on virtual systems (VsRequest ) | Administration (all) | VsRequestByImplementerEvaluator | ||
==== Default settings of permissions for a role detail ==== | ==== Default settings of permissions for a role detail ==== | ||
Line 482: | Line 495: | ||
* Role authorizers - by role (IdmRoleGuaranteeRole) | - | RoleGuaranteeRoleByRoleEvaluator | * Role authorizers - by role (IdmRoleGuaranteeRole) | - | RoleGuaranteeRoleByRoleEvaluator | ||
* Permission to read automatic roles (tree) by role: Automatic roles (IdmRoleTreeNode) | - | RoleTreeNodeByRoleEvaluator | * Permission to read automatic roles (tree) by role: Automatic roles (IdmRoleTreeNode) | - | RoleTreeNodeByRoleEvaluator | ||
+ | * Permission to autocomplete automatic roles (tree): Automatic roles (IdmRoleTreeNode) | Displaying in autocomplete, | ||
* Permission to read automatic roles (attributes) by role: | * Permission to read automatic roles (attributes) by role: | ||
- | * Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Read | BasePermissionEvaluator | + | * Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Displaying in autocomplete, |
* Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule)| Read | BasePermissionEvaluator | * Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule)| Read | BasePermissionEvaluator | ||
* Permissions to read request for automatic roles (both): | * Permissions to read request for automatic roles (both): | ||
* Requests for automatic roles (IdmAutomaticRoleRequest) | Read | BasePermissionEvaluator | * Requests for automatic roles (IdmAutomaticRoleRequest) | Read | BasePermissionEvaluator | ||
* Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | - | AutomaticRoleRuleRequestByRequestEvaluator | * Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | - | AutomaticRoleRuleRequestByRequestEvaluator | ||
+ | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update | AutomaticRoleRequestByWfInvolvedIdentityEvaluator. For create new or delete an automatic role request add another evaluator (for example BasePermissionEvaluator to choosed users). Add also autocomplete permission to IdmAutomaticRoleAttribute (if you use automatic roles by attributes) and IdmRoleTreeNode (if you use automatic roles by organizations.). | ||
* Permission to read permissions by role: Permission (IdmAuthorizationPolicy) | - | AuthorizationPolicyByRoleEvaluator | * Permission to read permissions by role: Permission (IdmAuthorizationPolicy) | - | AuthorizationPolicyByRoleEvaluator | ||
* Permission to read accounts: Accounts in system | Read | BasePermissionEvaluator | * Permission to read accounts: Accounts in system | Read | BasePermissionEvaluator | ||
Line 495: | Line 510: | ||
* Business roles definition (IdmRoleComposition) | - | [[# | * Business roles definition (IdmRoleComposition) | - | [[# | ||
* Business roles definition (IdmRoleComposition) | - | [[# | * Business roles definition (IdmRoleComposition) | - | [[# | ||
+ | * Permission to autocomplete form definitions: | ||
* Role attributes (subdefnition) (IdmRoleFormAttribute) | - | RoleFormAttributeByRoleEvaluator | * Role attributes (subdefnition) (IdmRoleFormAttribute) | - | RoleFormAttributeByRoleEvaluator | ||