Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
devel:documentation:security:dev:authorization [2020/07/07 09:10]
tomiskar [Base interfaces and classes] 		devel:documentation:security:dev:authorization [2022/03/29 07:50]
doischert [ReportByReportTypeEvaluator]
Line 36: Line 36:
     * ''DELETE'' - log deleting     * ''DELETE'' - log deleting
     * ''EXECUTE'' - execute operations (start, cancel etc.)     * ''EXECUTE'' - execute operations (start, cancel etc.)
-  * ''GroupPermission'' - a group (target) permission (e.g. USER, ROLE …). A group of base permissions. This group is assigned specific domain classes (e.g. IdMRole) and determines which base permissions it contains => what can be done with the given type. +  * ''GroupPermission'' - a group (target) permission (e.g. USER, ROLE …). A group of base permissions. This group is assigned specific domain classes (e.g. IdMRole) and determines which base persemissions it contains => what can be done with the given type. 
 <note>By linking a group with a base permission we get an authority - for example ROLE_READ, IDENTITY_WRITE.</note> <note>A Special group is **APP**, which is meant for the application administrators - the authority **APP_ADMIN** is created by linking a group with a base permission. The authority owns all the permissions in the application. </note> <note>By linking a group with a base permission we get an authority - for example ROLE_READ, IDENTITY_WRITE.</note> <note>A Special group is **APP**, which is meant for the application administrators - the authority **APP_ADMIN** is created by linking a group with a base permission. The authority owns all the permissions in the application. </note>
   * ''AuthorizationPolicy'' - a policy according to which the permissions for a specific agenda (attribute ''groupPermission'') and specific domain type  (attribute ''authorizableType'') are evaluated. It determines an evaluator (AuthorizationEvaluator) with specific settings (attribute ''ConfigurationMap'') and which base permissions (attribute ''basePermissions'') can be acquired if the evaluation passes.    * ''AuthorizationPolicy'' - a policy according to which the permissions for a specific agenda (attribute ''groupPermission'') and specific domain type  (attribute ''authorizableType'') are evaluated. It determines an evaluator (AuthorizationEvaluator) with specific settings (attribute ''ConfigurationMap'') and which base permissions (attribute ''basePermissions'') can be acquired if the evaluation passes. 
Line 46: Line 46:
     * ''supportsPermissions()'' - returns true if the assigned permissions are supported. False - it defines them itself internally (e.g. ''AbstractTransitiveEvaluator'').     * ''supportsPermissions()'' - returns true if the assigned permissions are supported. False - it defines them itself internally (e.g. ''AbstractTransitiveEvaluator'').
     * ''getAuthorities(policy)'' - **returns a set of operations** (the set''BasePermission''), which the currently logged in **identity could perform** according to the given policy (e.g. READ, UPDATE).     * ''getAuthorities(policy)'' - **returns a set of operations** (the set''BasePermission''), which the currently logged in **identity could perform** according to the given policy (e.g. READ, UPDATE).
-  * ''AuthorizableService'' - an interface for labeling a service working with entities that it supports evaluating of policies for permissions for data. This has been added mainly because of backward compatibility - permissions for data are linked to individual agendas one by one. The policies can thus be configured only for domain types with services supporting this interface. +  * ''AuthorizableService'' - an interface for labeling a service working with entities that it supports evaluating of policies for permissions for data. This has been added mainly because of backward compatibility - permissions for data are linked to individual agendas one by one. The policies can thus be configured only for domain types with services supporting this interface.
   * ''AuthorizationManager'' - loads and evaluates the set policies for the logged in identity throughout the application:   * ''AuthorizationManager'' - loads and evaluates the set policies for the logged in identity throughout the application:
     * loads all the active policies according to the assigned user roles     * loads all the active policies according to the assigned user roles
Line 81: Line 81:
   * ''CHANGEEXTERNALCODE'' - @since 10.3.0 - Change identity personal number.   * ''CHANGEEXTERNALCODE'' - @since 10.3.0 - Change identity personal number.
   * ''CHANGEDESCRIPTION'' - @since 10.3.0 - Change identity description.   * ''CHANGEDESCRIPTION'' - @since 10.3.0 - Change identity description.
 +  * ''SWITCHUSER'' - @since 10.5.0 - logged user can login as selected user (switch user). 
  
 ==== Role==== ==== Role====
  
   * ''CANBEREQUESTED'' - role, which can be requested. Used in role request and bulk actions for assign role.   * ''CANBEREQUESTED'' - role, which can be requested. Used in role request and bulk actions for assign role.
 +  * ''CHANGEPERMISSION'' - @since 11.1.0 - create role request for changing identity permissions on related role - usable for role guarantees.
  
 ==== Identity role==== ==== Identity role====
Line 94: Line 95:
  
   * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on contract gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.   * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on contract gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
 +  * ''CANBEREQUESTED'' - @since 11.1.0 create role request for changing (ADD only) identity permissions on related contract.
 +
 +===== Cache =====
 +
 +Cache is used for evaluating authorization policies and permissions by ''AuthorizationManager'':
 +
 +  * **''core:authorization-policy-cache''** - Cache stores active authorization policies of currently logged user. Cache is evicted after user log out. When authorization policies configuration is changed, then user is logged out and cache is evicted (after permissions removal only). Cache expiration is 2 hour, e.g. if user forgot to log out.
 +  * **''core:permission-cache''** - Cache stores permissions (for data) of currently logged user. Cache is evicted after user log out. Cache expiration is 1 minute - if data structure is changed, then permissions are actualized after this duration. When authorization policies configuration is changed, cache is evicted (completely).
  
 ===== Base authorization evaluators ===== ===== Base authorization evaluators =====
Line 194: Line 203:
  
 This evaluator solves both ways (or). This evaluator solves both ways (or).
 +
 +Evaluator can be used for UC, when role guarantee can assign his roles to users (@since 11.1.0). The authorization policies have to be set as follows:
 +  * Permission to work with guaranteed roles: Roles (IdmRole) | View in select box (autocomplete), Read, Update, Delete, Can be requested, Change roles | RoleGuaranteeEvaluator
 +  * Permission to all identities: Users (IdmIdentity) | Read | BasePermissionEvaluator
 +  * Permission to assign new role to all contracts: Contracted positions (IdmIdentityContract) | Can be requested | BasePermissionEvaluator
 +  * Permission to read all assigned roles: Assigned roles (IdmIdentityRole) | - | IdentityRoleByIdentityEvaluator
 +  * Permission to assign guaranteed roles: Assigned roles (IdmIdentityRole) | **Can be requested only:true** | IdentityRoleByRoleEvaluator
  
 ==== AuthorizationPolicyByRoleEvaluator ==== ==== AuthorizationPolicyByRoleEvaluator ====
Line 272: Line 288:
  
 For show identity-accounts only for identities witch have permissions on the accounts. With this evaluator can user show and edit only identity-accounts where is owner for the accounts. For show identity-accounts only for identities witch have permissions on the accounts. With this evaluator can user show and edit only identity-accounts where is owner for the accounts.
 +
 +==== ReportByReportTypeEvaluator ====
 +
 +@since 12.2.0 Gives currently logged identity permission to work with a specified report. The report is specified by executor name (e. g., 'identity-report'). Only one report can be used; if you need to give access to multiple reports, create the permission multiple times. This evaluator limits which report executors are returned as available by ReportManager. For generated reports, the user is able to see EVERY report of the type which was created. To download a report, a simple READ permission is not enough, a CREATE or ADMIN permission is needed.
 +
  
 ==== SelfReportEvaluator ==== ==== SelfReportEvaluator ====
Line 402: Line 423:
  
  
-<note important>The business roles are not dealt with within the default role => the user will get what is set for the default role, nothing more.</note>+<note tip>The business roles are supported with the default role => the user will get all authorization policies from default and all sub roles.</note>
  
 ===== Examples of configuration ===== ===== Examples of configuration =====
Line 414: Line 435:
   * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator   * Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator
   * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12)   * Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator (since the version 9.7.12)
-  * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | Can be requested only:true | IdentityRoleByRoleEvaluator +  * Permission to request roles by copy them from other identity (which can be requested): Assigned roles (IdmIdentityRole) | **Can be requested only: true** | IdentityRoleByRoleEvaluator 
-  * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | | IdentityContractByIdentityEvaluator+  * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: View in select box (autocomplete), Read, Change roles** | IdentityContractByIdentityEvaluator
   * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator   * Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator
   * Permission to read guarantees of IR: Industrial relation guarantees (IdmContractGuarantee) | - | ContractGuaranteeByIdentityContractEvaluator   * Permission to read guarantees of IR: Industrial relation guarantees (IdmContractGuarantee) | - | ContractGuaranteeByIdentityContractEvaluator
Line 424: Line 445:
   * Permission to read and change indetity profile: Identity profile (IdmProfile) | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0)   * Permission to read and change indetity profile: Identity profile (IdmProfile) | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0)
   * Enabling the autocomplete for entities:   * Enabling the autocomplete for entities:
-    * User profile (picture) (IdmProfile) | Displaying in autocomplete, selections | BasePermissionEvaluator 
     * Users (IdmIdentity) | Displaying in autocomplete, selections | BasePermissionEvaluator     * Users (IdmIdentity) | Displaying in autocomplete, selections | BasePermissionEvaluator
 +    * User profile (picture) (IdmProfile) | Displaying in autocomplete, selections | BasePermissionEvaluator
     * Role (IdmRole) | Displaying in autocomplete, selections | BasePermissionEvaluator     * Role (IdmRole) | Displaying in autocomplete, selections | BasePermissionEvaluator
     * Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, selections | BasePermissionEvaluator     * Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, selections | BasePermissionEvaluator
Line 437: Line 458:
     * Code lists (IdmCodeList) | Displaying in autocomplete, selections | BasePermissionEvaluator     * Code lists (IdmCodeList) | Displaying in autocomplete, selections | BasePermissionEvaluator
     * Code lists - items (IdmCodeListItem) | Displaying in autocomplete, selections | [[#codelistitembycodelistevaluator|CodeListItemByCodeListEvaluator]] or [[#codelistitembycodeevaluator|CodeListItemByCodeEvaluator]]     * Code lists - items (IdmCodeListItem) | Displaying in autocomplete, selections | [[#codelistitembycodelistevaluator|CodeListItemByCodeListEvaluator]] or [[#codelistitembycodeevaluator|CodeListItemByCodeEvaluator]]
-  * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( Add also autocomplete permission to IdmAutomaticRoleAttribute (if you use automatic roles by attributes) and IdmRoleTreeNode (if you use automatic roles by organizations.). 
-  * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator 
   * Permission to read and solve one's requests on virtual systems: Requests on virtual systems (VsRequest) | Administration | VsRequestByImplementerEvaluator ([[tutorial:adm:modules_vs#permissions]]). If you don't want to display the VS requests agenda to all your users, then we recommend setting this permission to some other role which you will assign only to the VS implementers.   * Permission to read and solve one's requests on virtual systems: Requests on virtual systems (VsRequest) | Administration | VsRequestByImplementerEvaluator ([[tutorial:adm:modules_vs#permissions]]). If you don't want to display the VS requests agenda to all your users, then we recommend setting this permission to some other role which you will assign only to the VS implementers.
  
Line 448: Line 467:
  
 If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only: If you want to enable the managers of the users to read their subordinates and change their permissions on managed contracts only:
-  * **change** following **permissions** from the userRole: 
-    * Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | **Use permissions: View in select box (autocomplete), Read, Change roles** | **IdentityContractByIdentityEvaluator** 
   * **add** following **permissions** to the userRole:   * **add** following **permissions** to the userRole:
     * Users (IdmIdentity) | View in select box (autocomplete), Read | **SubordinatesEvaluator**     * Users (IdmIdentity) | View in select box (autocomplete), Read | **SubordinatesEvaluator**
Line 455: Line 472:
     * Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator**     * Assigned roles (IdmIdentityRole) | - | **IdentityRoleByContractEvaluator**
  
-<note tip>This configuration is available from version 10.3.0. If you are using some older version, then no permissions have to be removed and add one permission instead: +<note tip>This configuration is available from version 10.3.0. If you are using some older version, add one permission instead: 
   * Users (IdmIdentity) | View in select box (autocomplete), Read, Change roles | **SubordinatesEvaluator**   * Users (IdmIdentity) | View in select box (autocomplete), Read, Change roles | **SubordinatesEvaluator**
  
 **With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0.  **With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0. 
 </note> </note>
 +
 +==== Default settings of permissions for delegations ====
 +
 +Default settings of permissions for delegations are defined in the role '**Delegation (delegationRole)**'.
 +
 +<note tip>You can see a detailed configuration of evaluators with comments here:
 +[[https://github.com/bcvsolutions/CzechIdMng/blob/develop/Realization/backend/core/core-impl/src/main/java/eu/bcvsolutions/idm/core/model/event/processor/module/InitDelegationRoleProcessor.java#L106-L202
 +|InitDelegationRoleProcessor]]</note>
  
 ==== Settings of permissions for the Helpdesk role ==== ==== Settings of permissions for the Helpdesk role ====
Line 470: Line 495:
   * Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator   * Permission to see provisioning archive: Provisioning - archive (SysProvisioningArchive) | Read | BasePermissionEvaluator
  
 +==== Settings of permissions for virtual system implementer  ====
 +
 +The virtual system implementer (~approver) role should have following additional permissions:
 +  * Permission to admin virtual system requests: Requests on virtual systems (VsRequest ) | Administration (all) | VsRequestByImplementerEvaluator
 ==== Default settings of permissions for a role detail ==== ==== Default settings of permissions for a role detail ====
  
Line 478: Line 507:
     * Role authorizers - by role (IdmRoleGuaranteeRole) | - | RoleGuaranteeRoleByRoleEvaluator     * Role authorizers - by role (IdmRoleGuaranteeRole) | - | RoleGuaranteeRoleByRoleEvaluator
   * Permission to read automatic roles (tree) by role: Automatic roles (IdmRoleTreeNode) | - | RoleTreeNodeByRoleEvaluator   * Permission to read automatic roles (tree) by role: Automatic roles (IdmRoleTreeNode) | - | RoleTreeNodeByRoleEvaluator
 +  * Permission to autocomplete automatic roles (tree): Automatic roles (IdmRoleTreeNode) | Displaying in autocomplete, selections | BasePermissionEvaluator
   * Permission to read automatic roles (attributes) by role:    * Permission to read automatic roles (attributes) by role: 
-    * Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Read | BasePermissionEvaluator+    * Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Displaying in autocomplete, selections, Read | BasePermissionEvaluator
     * Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule)| Read | BasePermissionEvaluator     * Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule)| Read | BasePermissionEvaluator
   * Permissions to read request for automatic roles (both):   * Permissions to read request for automatic roles (both):
     * Requests for automatic roles (IdmAutomaticRoleRequest) | Read | BasePermissionEvaluator     * Requests for automatic roles (IdmAutomaticRoleRequest) | Read | BasePermissionEvaluator
     * Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | - | AutomaticRoleRuleRequestByRequestEvaluator     * Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | - | AutomaticRoleRuleRequestByRequestEvaluator
 +  * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update | AutomaticRoleRequestByWfInvolvedIdentityEvaluator. For create new or delete an automatic role request add another evaluator (for example BasePermissionEvaluator to choosed users). Add also autocomplete permission to IdmAutomaticRoleAttribute (if you use automatic roles by attributes) and IdmRoleTreeNode (if you use automatic roles by organizations.).
   * Permission to read permissions by role: Permission (IdmAuthorizationPolicy) | - | AuthorizationPolicyByRoleEvaluator   * Permission to read permissions by role: Permission (IdmAuthorizationPolicy) | - | AuthorizationPolicyByRoleEvaluator
   * Permission to read accounts: Accounts in system | Read | BasePermissionEvaluator   * Permission to read accounts: Accounts in system | Read | BasePermissionEvaluator
Line 491: Line 522:
     * Business roles definition (IdmRoleComposition) | - | [[#RoleCompositionBySuperiorRoleEvaluator]]     * Business roles definition (IdmRoleComposition) | - | [[#RoleCompositionBySuperiorRoleEvaluator]]
     * Business roles definition (IdmRoleComposition) | - | [[#RoleCompositionBySubRoleEvaluator]]     * Business roles definition (IdmRoleComposition) | - | [[#RoleCompositionBySubRoleEvaluator]]
 +  * Permission to autocomplete form definitions: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | BasePermissionEvaluator
   * Role attributes (subdefnition) (IdmRoleFormAttribute) | - | RoleFormAttributeByRoleEvaluator   * Role attributes (subdefnition) (IdmRoleFormAttribute) | - | RoleFormAttributeByRoleEvaluator
  
  • by kucerar