Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:security:dev:authorization [2019/05/13 06:40]
tomiskar 		devel:documentation:security:dev:authorization [2019/08/15 14:48]
kopro [Default settings of permissions for an identity profile]
Line 73: Line 73:
   * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed.   * ''PASSWORDCHANGE'' - permission is evaluated, when identity's password is changed.
   * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.   * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on identity gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
 +  * ''MANUALLYDISABLE''- Deactivate identity manually. Enables bulk action and quick dashboard button.
 +  * ''MANUALLYENABLE''- Activate identity manually. Enables bulk action and quick dashboard button.
  
 ===== Base authorization evaluators ===== ===== Base authorization evaluators =====
Line 293: Line 295:
  
 ==== Default settings of permissions for an identity profile ==== ==== Default settings of permissions for an identity profile ====
 +
 +<note tip>From version 9.7.3 is'n feature manually disabled and manually enabled for user allowed by permission Identity UPDATE. But exits own permissions for each operation (MANUALLYDISABLE and MANUALLYENABLE)</note>
  
 This is a typical setting for the **userRole** - regular user as defined in the [[..:..:..:..:instalacni_balicek#definice_opravneni_v_identity_manageru|installation package]]. This is a typical setting for the **userRole** - regular user as defined in the [[..:..:..:..:instalacni_balicek#definice_opravneni_v_identity_manageru|installation package]].
Line 306: Line 310:
   * Permission to read role requests in workflow approval: Requests for assigned roles (IdmRoleRequest) | Read, Update, Create, Delete | RoleRequestByWfInvolvedIdentityEvaluator   * Permission to read role requests in workflow approval: Requests for assigned roles (IdmRoleRequest) | Read, Update, Create, Delete | RoleRequestByWfInvolvedIdentityEvaluator
   * Permission to read and execute for tasks: Workflow - tasks | Read, Execute | BasePermissionEvaluator (since the version 7.7.0)   * Permission to read and execute for tasks: Workflow - tasks | Read, Execute | BasePermissionEvaluator (since the version 7.7.0)
-  * Permission to read and change indetity profile: Identity profile | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0)+  * Permission to read and change indetity profile: Identity profile (IdmProfile) | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0)
   * Enabling the autocomplete for entities:   * Enabling the autocomplete for entities:
     * User profile (picture) (IdmProfile) | Displaying in autocomplete, selections | BasePermissionEvaluator     * User profile (picture) (IdmProfile) | Displaying in autocomplete, selections | BasePermissionEvaluator
Line 318: Line 322:
     * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator       **(<- use this only when using acc module)**     * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator       **(<- use this only when using acc module)**
     * Connected systems | Displaying in autocomplete, selections | BasePermissionEvaluator      * Connected systems | Displaying in autocomplete, selections | BasePermissionEvaluator 
-  * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possible in wrong place.+  * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly in wrong place.
   * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator   * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator
  
Line 330: Line 334:
   * Permission to read audit: Audit | Read | BasePermissionEvaluator   * Permission to read audit: Audit | Read | BasePermissionEvaluator
   * Permission to see sent notifications: Notifications | Read | BasePermissionEvaluator   * Permission to see sent notifications: Notifications | Read | BasePermissionEvaluator
-  * FIXME add permissions to see the provisioning queue and archive+  * Permission to see provisioning operations (queue): Provisioning - operations in queue (SysProvisioningOperation) | Read | BasePermissionEvaluator 
 +  * Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator
  
 ==== Default settings of permissions for a role detail ==== ==== Default settings of permissions for a role detail ====
  • by kucerar