Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:security:dev:authorization [2020/08/12 10:08] tomiskar [Default settings of permissions for an identity profile] |
devel:documentation:security:dev:authorization [2021/06/16 10:14] husniko [RoleGuaranteeEvaluator] |
||
---|---|---|---|
Line 81: | Line 81: | ||
* '' | * '' | ||
* '' | * '' | ||
+ | * '' | ||
==== Role==== | ==== Role==== | ||
* '' | * '' | ||
+ | * '' | ||
==== Identity role==== | ==== Identity role==== | ||
Line 94: | Line 95: | ||
* '' | * '' | ||
+ | * '' | ||
===== Cache ===== | ===== Cache ===== | ||
Line 201: | Line 203: | ||
This evaluator solves both ways (or). | This evaluator solves both ways (or). | ||
+ | |||
+ | Evaluator can be used for UC, when role guarantee can assign his roles to users (@since 11.1.0). The authorization policies have to be set as follows: | ||
+ | * Permission to work with guaranteed roles: Roles (IdmRole) | View in select box (autocomplete), | ||
+ | * Permission to all identities: Users (IdmIdentity) | Read | BasePermissionEvaluator | ||
+ | * Permission to assign new role to all contracts: Contracted positions (IdmIdentityContract) | Can be requested | BasePermissionEvaluator | ||
+ | * Permission to read all assigned roles: Assigned roles (IdmIdentityRole) | - | IdentityRoleByIdentityEvaluator | ||
+ | * Permission to assign guaranteed roles: Assigned roles (IdmIdentityRole) | **Can be requested only:true** | IdentityRoleByRoleEvaluator | ||
==== AuthorizationPolicyByRoleEvaluator ==== | ==== AuthorizationPolicyByRoleEvaluator ==== | ||
Line 409: | Line 418: | ||
- | < | + | < |
===== Examples of configuration ===== | ===== Examples of configuration ===== | ||
Line 444: | Line 453: | ||
* Code lists (IdmCodeList) | Displaying in autocomplete, | * Code lists (IdmCodeList) | Displaying in autocomplete, | ||
* Code lists - items (IdmCodeListItem) | Displaying in autocomplete, | * Code lists - items (IdmCodeListItem) | Displaying in autocomplete, | ||
- | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update | AutomaticRoleRequestByWfInvolvedIdentityEvaluator. For create new or delete an automatic role request add another evaluator (for example BasePermissionEvaluator to choosed users). Add also autocomplete permission to IdmAutomaticRoleAttribute (if you use automatic roles by attributes) and IdmRoleTreeNode (if you use automatic roles by organizations.). | ||
* Permission to read and solve one's requests on virtual systems: Requests on virtual systems (VsRequest) | Administration | VsRequestByImplementerEvaluator ([[tutorial: | * Permission to read and solve one's requests on virtual systems: Requests on virtual systems (VsRequest) | Administration | VsRequestByImplementerEvaluator ([[tutorial: | ||
Line 464: | Line 472: | ||
**With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0. | **With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0. | ||
</ | </ | ||
+ | |||
+ | ==== Default settings of permissions for delegations ==== | ||
+ | |||
+ | Default settings of permissions for delegations are defined in the role ' | ||
+ | |||
+ | <note tip>You can see a detailed configuration of evaluators with comments here: | ||
+ | [[https:// | ||
+ | |InitDelegationRoleProcessor]]</ | ||
==== Settings of permissions for the Helpdesk role ==== | ==== Settings of permissions for the Helpdesk role ==== | ||
Line 474: | Line 490: | ||
* Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator | * Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator | ||
+ | ==== Settings of permissions for virtual system implementer | ||
+ | |||
+ | The virtual system implementer (~approver) role should have following additional permissions: | ||
+ | * Permission to admin virtual system requests: Requests on virtual systems (VsRequest ) | Administration (all) | VsRequestByImplementerEvaluator | ||
==== Default settings of permissions for a role detail ==== | ==== Default settings of permissions for a role detail ==== | ||
Line 482: | Line 502: | ||
* Role authorizers - by role (IdmRoleGuaranteeRole) | - | RoleGuaranteeRoleByRoleEvaluator | * Role authorizers - by role (IdmRoleGuaranteeRole) | - | RoleGuaranteeRoleByRoleEvaluator | ||
* Permission to read automatic roles (tree) by role: Automatic roles (IdmRoleTreeNode) | - | RoleTreeNodeByRoleEvaluator | * Permission to read automatic roles (tree) by role: Automatic roles (IdmRoleTreeNode) | - | RoleTreeNodeByRoleEvaluator | ||
+ | * Permission to autocomplete automatic roles (tree): Automatic roles (IdmRoleTreeNode) | Displaying in autocomplete, | ||
* Permission to read automatic roles (attributes) by role: | * Permission to read automatic roles (attributes) by role: | ||
- | * Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Read | BasePermissionEvaluator | + | * Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Displaying in autocomplete, |
* Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule)| Read | BasePermissionEvaluator | * Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule)| Read | BasePermissionEvaluator | ||
* Permissions to read request for automatic roles (both): | * Permissions to read request for automatic roles (both): | ||
* Requests for automatic roles (IdmAutomaticRoleRequest) | Read | BasePermissionEvaluator | * Requests for automatic roles (IdmAutomaticRoleRequest) | Read | BasePermissionEvaluator | ||
* Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | - | AutomaticRoleRuleRequestByRequestEvaluator | * Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | - | AutomaticRoleRuleRequestByRequestEvaluator | ||
+ | * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update | AutomaticRoleRequestByWfInvolvedIdentityEvaluator. For create new or delete an automatic role request add another evaluator (for example BasePermissionEvaluator to choosed users). Add also autocomplete permission to IdmAutomaticRoleAttribute (if you use automatic roles by attributes) and IdmRoleTreeNode (if you use automatic roles by organizations.). | ||
* Permission to read permissions by role: Permission (IdmAuthorizationPolicy) | - | AuthorizationPolicyByRoleEvaluator | * Permission to read permissions by role: Permission (IdmAuthorizationPolicy) | - | AuthorizationPolicyByRoleEvaluator | ||
* Permission to read accounts: Accounts in system | Read | BasePermissionEvaluator | * Permission to read accounts: Accounts in system | Read | BasePermissionEvaluator | ||
Line 495: | Line 517: | ||
* Business roles definition (IdmRoleComposition) | - | [[# | * Business roles definition (IdmRoleComposition) | - | [[# | ||
* Business roles definition (IdmRoleComposition) | - | [[# | * Business roles definition (IdmRoleComposition) | - | [[# | ||
+ | * Permission to autocomplete form definitions: | ||
* Role attributes (subdefnition) (IdmRoleFormAttribute) | - | RoleFormAttributeByRoleEvaluator | * Role attributes (subdefnition) (IdmRoleFormAttribute) | - | RoleFormAttributeByRoleEvaluator | ||