Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
devel:documentation:security:dev:authorization [2020/08/25 06:48]
tomiskar 		devel:documentation:security:dev:authorization [2022/03/29 07:50]
doischert [ReportByReportTypeEvaluator]
Line 36: Line 36:
     * ''DELETE'' - log deleting     * ''DELETE'' - log deleting
     * ''EXECUTE'' - execute operations (start, cancel etc.)     * ''EXECUTE'' - execute operations (start, cancel etc.)
-  * ''GroupPermission'' - a group (target) permission (e.g. USER, ROLE …). A group of base permissions. This group is assigned specific domain classes (e.g. IdMRole) and determines which base permissions it contains => what can be done with the given type. +  * ''GroupPermission'' - a group (target) permission (e.g. USER, ROLE …). A group of base permissions. This group is assigned specific domain classes (e.g. IdMRole) and determines which base persemissions it contains => what can be done with the given type. 
 <note>By linking a group with a base permission we get an authority - for example ROLE_READ, IDENTITY_WRITE.</note> <note>A Special group is **APP**, which is meant for the application administrators - the authority **APP_ADMIN** is created by linking a group with a base permission. The authority owns all the permissions in the application. </note> <note>By linking a group with a base permission we get an authority - for example ROLE_READ, IDENTITY_WRITE.</note> <note>A Special group is **APP**, which is meant for the application administrators - the authority **APP_ADMIN** is created by linking a group with a base permission. The authority owns all the permissions in the application. </note>
   * ''AuthorizationPolicy'' - a policy according to which the permissions for a specific agenda (attribute ''groupPermission'') and specific domain type  (attribute ''authorizableType'') are evaluated. It determines an evaluator (AuthorizationEvaluator) with specific settings (attribute ''ConfigurationMap'') and which base permissions (attribute ''basePermissions'') can be acquired if the evaluation passes.    * ''AuthorizationPolicy'' - a policy according to which the permissions for a specific agenda (attribute ''groupPermission'') and specific domain type  (attribute ''authorizableType'') are evaluated. It determines an evaluator (AuthorizationEvaluator) with specific settings (attribute ''ConfigurationMap'') and which base permissions (attribute ''basePermissions'') can be acquired if the evaluation passes. 
Line 86: Line 86:
  
   * ''CANBEREQUESTED'' - role, which can be requested. Used in role request and bulk actions for assign role.   * ''CANBEREQUESTED'' - role, which can be requested. Used in role request and bulk actions for assign role.
 +  * ''CHANGEPERMISSION'' - @since 11.1.0 - create role request for changing identity permissions on related role - usable for role guarantees.
  
 ==== Identity role==== ==== Identity role====
Line 95: Line 95:
  
   * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on contract gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.   * ''CHANGEPERMISSION'' - permission is evaluated, when identity's permissions is changed => ''CHANGEPERMISSION'' on contract gives permissions ''READ'', ''CREATE'', ''UPDATE'', ''DELETE'' to identity's role requests.
 +  * ''CANBEREQUESTED'' - @since 11.1.0 create role request for changing (ADD only) identity permissions on related contract.
  
 ===== Cache ===== ===== Cache =====
Line 202: Line 203:
  
 This evaluator solves both ways (or). This evaluator solves both ways (or).
 +
 +Evaluator can be used for UC, when role guarantee can assign his roles to users (@since 11.1.0). The authorization policies have to be set as follows:
 +  * Permission to work with guaranteed roles: Roles (IdmRole) | View in select box (autocomplete), Read, Update, Delete, Can be requested, Change roles | RoleGuaranteeEvaluator
 +  * Permission to all identities: Users (IdmIdentity) | Read | BasePermissionEvaluator
 +  * Permission to assign new role to all contracts: Contracted positions (IdmIdentityContract) | Can be requested | BasePermissionEvaluator
 +  * Permission to read all assigned roles: Assigned roles (IdmIdentityRole) | - | IdentityRoleByIdentityEvaluator
 +  * Permission to assign guaranteed roles: Assigned roles (IdmIdentityRole) | **Can be requested only:true** | IdentityRoleByRoleEvaluator
  
 ==== AuthorizationPolicyByRoleEvaluator ==== ==== AuthorizationPolicyByRoleEvaluator ====
Line 280: Line 288:
  
 For show identity-accounts only for identities witch have permissions on the accounts. With this evaluator can user show and edit only identity-accounts where is owner for the accounts. For show identity-accounts only for identities witch have permissions on the accounts. With this evaluator can user show and edit only identity-accounts where is owner for the accounts.
 +
 +==== ReportByReportTypeEvaluator ====
 +
 +@since 12.2.0 Gives currently logged identity permission to work with a specified report. The report is specified by executor name (e. g., 'identity-report'). Only one report can be used; if you need to give access to multiple reports, create the permission multiple times. This evaluator limits which report executors are returned as available by ReportManager. For generated reports, the user is able to see EVERY report of the type which was created. To download a report, a simple READ permission is not enough, a CREATE or ADMIN permission is needed.
 +
  
 ==== SelfReportEvaluator ==== ==== SelfReportEvaluator ====
Line 410: Line 423:
  
  
-<note important>The business roles are not dealt with within the default role => the user will get what is set for the default role, nothing more.</note>+<note tip>The business roles are supported with the default role => the user will get all authorization policies from default and all sub roles.</note>
  
 ===== Examples of configuration ===== ===== Examples of configuration =====
Line 464: Line 477:
 **With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0.  **With this setting manager will see even other contracts, which not manages** (=> all identity contracts) and can assign role to other contract. This is the reason, why new authorization policies and setting was introduced in version 10.3.0. 
 </note> </note>
 +
 +==== Default settings of permissions for delegations ====
 +
 +Default settings of permissions for delegations are defined in the role '**Delegation (delegationRole)**'.
 +
 +<note tip>You can see a detailed configuration of evaluators with comments here:
 +[[https://github.com/bcvsolutions/CzechIdMng/blob/develop/Realization/backend/core/core-impl/src/main/java/eu/bcvsolutions/idm/core/model/event/processor/module/InitDelegationRoleProcessor.java#L106-L202
 +|InitDelegationRoleProcessor]]</note>
  
 ==== Settings of permissions for the Helpdesk role ==== ==== Settings of permissions for the Helpdesk role ====
  • by kucerar