Differences

This shows you the differences between two versions of the page.

--- devel:documentation:security:dev:authorization [2020/08/12 12:26]
tomiskar
+++ devel:documentation:security:dev:authorization [2021/06/11 06:46]
127.0.0.1 external edit
@@ Line 81: / Line 81: @@
   * ''CHANGEEXTERNALCODE'' - @since 10.3.0 - Change identity personal number.
   * ''CHANGEDESCRIPTION'' - @since 10.3.0 - Change identity description.
+  * ''SWITCHUSER'' - @since 10.5.0 - logged user can login as selected user (switch user).
 ==== Role====
   * ''CANBEREQUESTED'' - role, which can be requested. Used in role request and bulk actions for assign role.
+  * ''CHANGEPERMISSION'' - @since 11.1.0 - create role request for changing identity permissions on related role - usable for role guarantees.
 ==== Identity role====
@@ Line 94: / Line 95: @@
   * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on contract gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
+  * ''CANBEREQUESTED'' - @since 11.1.0 create role request for changing (ADD only) identity permissions on related contract.
 ===== Cache =====
@@ Line 201: / Line 203: @@
 This evaluator solves both ways (or).
+Evaluator can be used for UC, when role guarantee can assign his roles to users (@since 11.1.0). The authorization policies can be set as follows:
+  * Permission to work with guaranteed roles: Roles (IdmRole) | View in select box (autocomplete), Read, Update, Delete, Can be requested, Change roles | BasePermissionEvaluator
+  * Permission to all identities: Users (IdmIdentity) | Read | BasePermissionEvaluator
+  * Permission to assign new role to all contracts: Contracted positions (IdmIdentityContract) | Can be requested | BasePermissionEvaluator
+  * Permission to read all assigned roles: Assigned roles (IdmIdentityRole) | - | IdentityRoleByIdentityEvaluator
+  * Permission to assign guaranteed roles: Assigned roles (IdmIdentityRole) | **Can be requested only:true** | IdentityRoleByRoleEvaluator
 ==== AuthorizationPolicyByRoleEvaluator ====
@@ Line 409: / Line 418: @@
-<note important>The business roles are not dealt with within the default role => the user will get what is set for the default role, nothing more.</note>
+<note tip>The business roles are supported with the default role => the user will get all authorization policies from default and all sub roles.</note>
 ===== Examples of configuration =====
@@ Line 463: / Line 472: @@
 **With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0.
 </note>
+==== Default settings of permissions for delegations ====
+Default settings of permissions for delegations are defined in the role '**Delegation (delegationRole)**'.
+<note tip>You can see a detailed configuration of evaluators with comments here:
+[[https://github.com/bcvsolutions/CzechIdMng/blob/develop/Realization/backend/core/core-impl/src/main/java/eu/bcvsolutions/idm/core/model/event/processor/module/InitDelegationRoleProcessor.java#L106-L202
+|InitDelegationRoleProcessor]]</note>
 ==== Settings of permissions for the Helpdesk role ====
@@ Line 473: / Line 490: @@
   * Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator
+==== Settings of permissions for virtual system implementer  ====
+The virtual system implementer (~approver) role should have following additional permissions:
+  * Permission to admin virtual system requests: Requests on virtual systems (VsRequest ) | Administration (all) | VsRequestByImplementerEvaluator
 ==== Default settings of permissions for a role detail ====