Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:security:dev:authorization [2020/08/12 12:26] tomiskar |
devel:documentation:security:dev:authorization [2022/03/29 07:50] doischert [ReportByReportTypeEvaluator] |
||
---|---|---|---|
Line 36: | Line 36: | ||
* '' | * '' | ||
* '' | * '' | ||
- | * '' | + | * '' |
< | < | ||
* '' | * '' | ||
Line 81: | Line 81: | ||
* '' | * '' | ||
* '' | * '' | ||
+ | * '' | ||
==== Role==== | ==== Role==== | ||
* '' | * '' | ||
+ | * '' | ||
==== Identity role==== | ==== Identity role==== | ||
Line 94: | Line 95: | ||
* '' | * '' | ||
+ | * '' | ||
===== Cache ===== | ===== Cache ===== | ||
Line 201: | Line 203: | ||
This evaluator solves both ways (or). | This evaluator solves both ways (or). | ||
+ | |||
+ | Evaluator can be used for UC, when role guarantee can assign his roles to users (@since 11.1.0). The authorization policies have to be set as follows: | ||
+ | * Permission to work with guaranteed roles: Roles (IdmRole) | View in select box (autocomplete), | ||
+ | * Permission to all identities: Users (IdmIdentity) | Read | BasePermissionEvaluator | ||
+ | * Permission to assign new role to all contracts: Contracted positions (IdmIdentityContract) | Can be requested | BasePermissionEvaluator | ||
+ | * Permission to read all assigned roles: Assigned roles (IdmIdentityRole) | - | IdentityRoleByIdentityEvaluator | ||
+ | * Permission to assign guaranteed roles: Assigned roles (IdmIdentityRole) | **Can be requested only:true** | IdentityRoleByRoleEvaluator | ||
==== AuthorizationPolicyByRoleEvaluator ==== | ==== AuthorizationPolicyByRoleEvaluator ==== | ||
Line 279: | Line 288: | ||
For show identity-accounts only for identities witch have permissions on the accounts. With this evaluator can user show and edit only identity-accounts where is owner for the accounts. | For show identity-accounts only for identities witch have permissions on the accounts. With this evaluator can user show and edit only identity-accounts where is owner for the accounts. | ||
+ | |||
+ | ==== ReportByReportTypeEvaluator ==== | ||
+ | |||
+ | @since 12.2.0 Gives currently logged identity permission to work with a specified report. The report is specified by executor name (e. g., ' | ||
+ | |||
==== SelfReportEvaluator ==== | ==== SelfReportEvaluator ==== | ||
Line 409: | Line 423: | ||
- | < | + | < |
===== Examples of configuration ===== | ===== Examples of configuration ===== | ||
Line 463: | Line 477: | ||
**With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0. | **With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0. | ||
</ | </ | ||
+ | |||
+ | ==== Default settings of permissions for delegations ==== | ||
+ | |||
+ | Default settings of permissions for delegations are defined in the role ' | ||
+ | |||
+ | <note tip>You can see a detailed configuration of evaluators with comments here: | ||
+ | [[https:// | ||
+ | |InitDelegationRoleProcessor]]</ | ||
==== Settings of permissions for the Helpdesk role ==== | ==== Settings of permissions for the Helpdesk role ==== | ||
Line 473: | Line 495: | ||
* Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator | * Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator | ||
+ | ==== Settings of permissions for virtual system implementer | ||
+ | |||
+ | The virtual system implementer (~approver) role should have following additional permissions: | ||
+ | * Permission to admin virtual system requests: Requests on virtual systems (VsRequest ) | Administration (all) | VsRequestByImplementerEvaluator | ||
==== Default settings of permissions for a role detail ==== | ==== Default settings of permissions for a role detail ==== | ||